The Covid-19 pandemic has caused widespread business disruption worldwide. We now live in a changed world where one of the most used strategies by organisations is improvised business continuity through remote working. As a result of this, several organisations are facing an increasing number of cyberattacks. As the Covid-19 outbreak reached India, the number of cyberattacks on Indian organisations doubled in March 2020 from January 2020. The current crisis has given hackers and threat actors the most suitable opportunity to launch cyberattacks on organisations as countries worldwide are busy dealing with the pandemic. There was a sudden spike in cyberattacks on Indian organisations in February 2020. The majority of these attacks were focused on the exploitation of vulnerable services and obtaining easy access to remote desktops. Reports also came in about untargeted phishing campaigns in which attackers impersonated personnel from various agencies engaged in combating the Covid-19 crisis. These were the two primary sustained waves in February 2020, after which the number of attacks fell back to a median level.
Volume of attacks experienced
Remote work infrastructure is being heavily targeted, along with attempts of identity theft and malicious payload delivery. As organisations expedite the setting up of virtual private network (VPN) infrastructure to help their employees work remotely, threat actors are banking on weak authentication mechanisms and identifying thefts through widespread phishing campaigns. There has been a global spike in the number of phishing emails since February 2020, indicating a serious and targeted attempt to obtain credentials or deliver Trojans by exploiting human anxiety related to the Covid-19 outbreak. Phishing domains resembling the centres for disease control and prevention cropped up significantly all over the world. Most of these attacks were untargeted and designed to entrap a large number of users within the least possible time frame. The global increase in phishing corresponded with the Covid-19 themed attacks.
Unique brute force attempts
An increase in brute force activity across our clients’ systems during this period has also been observed. Such activity peaked between March 15, 2020 and March 19, 2020, and unique brute force attempts increased by about 300 per cent over the median. Interestingly, there were a large number of failed login attempts during this period, both in the organisational authentication mechanisms and VPN second-factor authentications. While breaching perimeter and remote access infrastructure was the primary motive of these attacks, our analysis shows numerous attempts were made to deliver malicious payloads, including those related to the Covid-19 crisis. The major threat vector observed in India is AZORult – a malware designed to steal information, including credentials. This malware has been in existence for over three years but has recently been found to be associated with malicious files and applications about Covid-19. Apart from malware related to Covid-19, there has been a steady rise in the number of incidents being detected by end point detection and response (EDR) systems across many organisations. The increase in EDR systems may or may not be directly attributed to the rise in cyberattacks due to Covid-19, but it could have resulted from decreased patch compliance, increased number of people working remotely and the use of unsafe devices connected to corporate networks through home VPNs in certain cases. The critical indicators for cyberthreats are increased volume of attacks, higher number of brute force attempts, theme-based phishing campaigns and increased EDR detections,
which are all being triggered simultaneously and are causes of concern for organisations and their customers. Considering the current threat landscape, organisations that have implemented remote working policies also need to implement robust preventive and detective technical measures. We recommend that they implement the following measures.
- Utilise only secure access mechanisms for remote access – SSL VPN, secure remote desktop protocol (RDP) gateway, thin client access, etc.
- Implement strong password policies and two-factor authentication for all remote access, including those for administrative purposes.
- Review exceptions to password policies, policy bypass and non-standard access.
- Review bring-your-own-device (BYOD) policies and enforce compliance around, malware signatures and BYOD devices.
- Implement geo-restrictions and login velocity restrictions, if possible.
- Prevent multiple sessions and reuse of tokens wherever possible.
- Enforce privilege identity management solutions for remote administrative access.
Detection and response
- Implement specific monitoring rules to detect attacks on remote access infrastructure.
- Utilise specific threat intelligence to detect threat actors targeting Covid-19 and related themes.
- Use EDR solutions, antivirus or authentication policies to isolate any infected or compromised end point.
- Enable response teams to securely access compromised devices for analysis and eradication.
- Identify mechanisms to re-flash operating systems where eradication is not possible.