By Charles Kime
These are unusual times, and they’re putting extraordinary pressure on our IT teams.
Organizations face an increase in breaches and exposure on a daily basis.
Fortunately, advancements in IT technology can mitigate attacks and help organizations recover more quickly.
Two key fundamentals are data recovery and business continuity.
COVID-19 Cyber Attacks
Although coronavirus-themed attacks were anticipated, no one could have guessed they’d occur at this scale.
In January, Zscaler’s cloud-security platform detected and blocked 1,200 attacks – “phishing, malicious websites and malware targeting remote users – all related to COVID-19.”
In March, they saw a 30,000% increase as they blocked over 380,000 cyber attacks.
Google also announced abnormally high numbers and revealed that, for just one week in March, their built-in scanners blocked 18 million phishing and malware emails using COVID-19-themes. Microsoft showed similar volume – the company blocks more than 18,000 malicious URLs and IP address per day.
If your organization hasn’t already warned its users about COVID-19-themed issues, it definitely needs to do so.
“…for just one week in March, [Google’s] built-in scanners blocked 18 million phishing and malware emails using COVID-19-themes.”
Predators follow their prey. Malicious cyber criminals are no different.
With over 300 million daily users on Zoom, attackers have found a way to target them using very timely bait: Fear of being furloughed.
A new phishing campaign creates a sense of urgency by encouraging the victim to join an upcoming call through two pressure tactics.
First, they begin shortly so the victim has little time to think. Second, the topic of the call implies that the victim may be terminated, or that the call is a Q1 performance review.
If the user follows the link in the Zoom reminder email, he/she encounters a clever replica of the Zoom login screen. This screen also contains a new feature – it uses their corporate login credentials instead of a Zoom meeting code.
Naturally, there will be no conference call, but employees may become distracted by the content of the email and contact HR first, instead of recognizing that they were phished.
In the meantime, the attackers can use the victim’s credentials to hack into the organization’s networks.
Exposure Surges from Remote Employees
As IT managers, we often focus on the exposure caused by breaches within our technical infrastructure.
However, we must always be aware of possible financial exposures as well.
Researchers at Finland’s Arctic Security regularly monitor for a variety of potential compromises, such as botnet drones, command and control communication, and compromised servers. During the week of March 16, they suddenly noticed that the weekly number of potentially compromised organizations quadrupled.
While trying to understand the cause, they expanded their research to eight other European countries, as well as the United States of America. The same trend applied to each country, and a similar surge was noted for month-to-month increases in exposed organizations.
In the U.S. alone, over 50,000 organizations showed signs of increased malware exposure.
Finally, the researchers identified the cause: Previously infected computers that had not been active because they were safely hidden behind corporate firewalls.
During February and March, employees who used the infected computers were sent home, at which point they logged into their consumer-grade networks, protected by consumer grade firewalls, and suddenly attackers could see the machines.
Infected machines, when used remotely, provide back-door access to corporate environments because, before they connect to the locked-down VPN, they’re often used in an unprotected home environment.
It can be very difficult to detect these types of exposures, so many organizations rely on third-party monitoring, or zero trust environments, to detect or mitigate problems.
Unfortunately, the risk doesn’t end there.
Do you know if your cyber liability nsurance policy covers your remote workers? Many policies contain clauses that specify the types of hardware, or minimum security measures in place, for the organization.
For remote workers, it’s likely that those specifications no longer apply. Employees working from behind consumer firewalls, or on their own equipment, no longer have the specific layers of security stated in the cyber liability policy, which may create exposure for financial risks associated related claims and breaches.
It’s a good time, under the current circumstances, for the IT department to work with internal or external counsel to determine whether or not those cybersecurity policies adequately cover remote workers. That way, you’ll know if new requirements are necessary for insurance coverage or IT security measures.
As many IT manager struggle to deal with complexities associated with remote work, some must also deal with ransomware attacks.
In March, several high profile attacks made headlines, starting with Cognizant.
The $15 billion company — also the largest managed IT company in the world — was compromised by the Maze ransomware attackers. The attack was so comprehensive that it forced Cognizant to have its clients check their own systems for Maze-related files that were pushed out by the company as updates.
Also, just south of Los Angeles, DoppelPaymer Ransomware attackers demanded a ransom of over $689,000 from the city of Torrance In line with the latest ransomware trends, the attackers also began to release stolen documents to the public. DoppelPaymer operators claim they have erased local backups and encrypted 150 servers, along with 500 workstations.
Remote Backups and Disaster Recovery
Every ransomware attack should serve as a reminder to examine our own disaster recovery and backup methods.
While we have gone into detail on this subject in the past, remote workers and ransomware can complicate the usual strategies.
Local backups are easy, inexpensive solutions under normal conditions. However, these local backups might not be updating for workers who have moved to a remote site or home office.
Cyber criminals tend to target local backups first in order to locate and destroy them before using ransomware.
Offsite backups that use a service or cloud increase flexibility and maintain cybersecurity for remote workers. But, will your IT team be able to maintain the same vigilance and ownership over the remote backups? And, will a ransomware gang be able to detect and destroy those cloud backups?
Another common issue for backups is that they may get overwritten with ransomware encrypted files. Even though additional images cost more, retaining multiple instances of backups can make the difference between recovery and a complete loss of resources.
The good news is that modern backup services can enhance detection and alerts for ransomware.
Cohesity recommends that you actively monitor the size of data ingested into backup solutions for large changes. Significant changes in the size, or even the randomness of the ingested data, might signify that the backup has begun to ingest ransomware encrypted files.
If such files are detected, you should immediately alert your IT and infosec team.
Getting the Right Support
Using two-factor authentication, restricting write operations, and isolating policy-based data are all useful ways to control data and prevent hackers from overwriting essential backups.
With many methods and vendors to choose from, selecting the best strategy for your organization can often be overwhelming.
Ideal Integrations and Blue Bastion have the experience and relationships necessary to provide guidance and 24/7/365 network support to you and your team.
When you’re ready to improve your backup and disaster recovery options, contact us to see which tools fit for your organizational needs.
Want to learn more about data recovery and business continuity? Join us on Wednesday, May 6 at noon for a lunch-and-learn cybersecurity webinar with Cohesity!
Register here (lunch is on us!): https://bit.ly/2XfPZnx