Security Experts:

Cybercriminals Have Shifted Their Attack Strategies. Are You Prepared?

The Best Defense Against Cyber Threats is Good Information

Recent threat research shows that during the first six months of 2020, cybercriminals adapted their usual attack strategies to take advantage of the global pandemic and target the expanded attack surface created by the dramatic shift to remote workers. Understanding this trend is critical for security teams tasked with identifying threats and properly securing networks. 

One of the biggest challenges is the double-edged sword of NOC and SOC teams having to invert their network to switch the majority of end-users from working inside the traditional perimeter to now connecting from home offices. And many have had to do so while working remotely themselves. Visibility and control across the network have been reduced, exposing organizations to risks that did not exist only a few weeks ago. Like it or not, notoriously unpatched and unprotected home networks are now part of the extended corporate network.

Cybercriminals understand this and have modified their attack strategies accordingly. According to recent threat data, IPS signatures have detected a dramatic upswing of attacks looking to target home-based routers and IoT devices. Also, while 2020 is on track to have released the largest number of CVEs in history, 65% of organizations report detecting threats targeting vulnerabilities identified in 2018. And more than a quarter of firms registered attempts to exploit CVEs from 15 years earlier.

This transition to older vulnerabilities is indicative of cybercriminals' efforts to target the less secured devices residing on home networks, such as unpatched routers and DVR systems. The goal is to establish a beachhead there and then coattail back into the corporate network through remote connections initiated by teleworkers.

And it is working. Botnet activity, unlike IPS detections, indicates a successful network breach. And it has been dominated for the last six months by two older threats. Mirai, first detected in 2016, and Gh0st, from 2014, have held the top spots in botnet activity globally, and across all industries, for the last six months.

These data points are directly correlated to a dramatic switch in attack strategies. COVID-19-related themes have dominated web and email-based phishing attacks. Browsers have now become the primary attack vector, far surpassing email as the primary source for delivering these older malware payloads. This is due, in part, to remote workers more frequently browsing the internet without the protection of the corporate firewall. And it is also because email is still being delivered through corporate secure email gateways. These attacks target novice remote workers with promises of information about the pandemic, often purporting to be from public authorities such as the World Health Organization or the Centers for Disease Control. Others include invoices targeting healthcare manufacturers pretending to be urgently ordering medical supplies.

What Does This Mean for Security Teams?

By understanding these latest threat trends, security teams need to take measures to ensure that their security strategies, including the identification and tracking of new IOCs, are being correctly updated so these attacks and attack vectors can properly be monitored and closed. Here is a list of some of the actions that cybersecurity professionals need to take into account.

Upgrade and Secure Endpoint Devices – Even if remote workers are still using personal devices to connect remotely to corporate resources, the security bar must be raised. This includes the requirement that these devices have been properly patched, that security software is in place, and that remote connections are appropriately protected against potentially compromised devices operating on the home network. In addition to traditional AV/AM software, security solutions should include new endpoint detection and recovery (EDR) tools to identify sophisticated attacks and prevent malware from executing on a remote device. Particular attention should be paid to upgrading and hardening browsers, and implementing an agent that secures all internet browsing – whether on or off-network – through a cloud-based web security gateway.

Upgrade Secure Email Gateways – While browsers have become the primary attack vector for these new attack strategies, email still represents a significant vector for malware delivery. Such attacks cannot happen, however, if email gateways are more effective at identifying and stripping out malicious attachments. Consider upgrading or updating existing secure email gateways to ensure they include sandboxing to identify previously unknown threats, and new content disarm and reconstruction (CDR) technology to strip out malicious code, macros, and executables embedded in email.

Inspect all VPN traffic – Even with the measures above in place, some malware will still slip through. Threat actors are intentionally targeting VPN tunnels to deliver malware and exfiltrate data because they know that most security solutions in place do not have the horsepower needed to inspect the new volume of VPN traffic moving in and out of the network. Organizations need to seriously consider replacing legacy firewalls with devices capable of inspecting encrypted traffic without creating a bottleneck for business-critical applications and workflows. Similarly, corporate super-users – such as systems administrators, helpdesk personnel, and executives who require access to sensitive data – should also have their home networks upgraded with Secure SD-WAN technologies.

Increase OT Defenses – Malware originating from home workers, along with new ransomware and other attacks, are increasingly targeting OT environments. The EKANS ransomware and the Ramsay espionage framework – designed for collecting and exfiltrating sensitive files within air-gapped or highly restricted networks – are just two examples of how cybercriminals are finding new ways to infiltrate OT networks. OT security must restrict the resources that users, devices, applications, and workflows can access. Implementing a zero-trust network access (ZTNA) strategy, including network segmentation, should be applied across the network, but especially within OT environments to secure SCADA and ICS systems and older, unpatched monitoring and management systems. This will ensure that even if malware manages to circumvent edge security controls, it will still be limited to a tiny segment of the OT network.

Review ransomware security measures – COVID-19-themed phishing attacks have included a wide range of ransomware payloads, including Netwalker, Ransomware-GVZ, and CoViper variants. Ransomware-as-a-Service (RaaS) has also expanded, enabling unskilled and amateur attackers to enter the fray. Phobos, ransomware that exploits the Remote Desktop Protocol (RDP) to gain access to a network, is one of the latest ransomware tools to be offered as-a-service on the dark web. Organizations should already have a robust ransomware strategy, such as having full data and system backups stored offline and off-network to ensure rapid recovery. However, cyber ransomers have added a new wrinkle to their attack strategy. Not only is data being encrypted, but copies are being loaded to servers with the threat that if the ransom is not paid, it will be released to the public. This means that data inside the network, whether at rest, in use, or in motion, needs to be encrypted so that it cannot be used or exposed by cybercriminals. Of course, this only doubles down on the need to deploy NGFWs that can handle the increased processing power required to inspect this traffic.

Good Security Starts with Good Intelligence

Staying abreast of the latest security trends, such as the massive shift in attack strategies that have occurred during the first half of 2020, is essential if CISOs and other security professionals are to take appropriate countermeasures. Now more than ever, the best defense against cyber threats is good information. Leveraging critical threat intelligence, including threat reports, gathering – and contributing to – intelligence feeds, and keeping an updated list of IOCs that is cross-referenced against every device connected to the network, are essential if security teams are to remain a step ahead of today’s cybercriminal strategies. 

view counter
John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.