A surge of 600 new phishing campaigns per day and 131% increase in viruses target remote workers
Over the past several weeks, FortiGuard Labs has been monitoring a significant spike in COVID-19 related threats. Cybercriminals are unleashing a surprisingly high volume of new threats in this short period of time to take advantage of inadvertent security gaps as organizations are in a rush to ensure business continuity.
Cybercriminals are exploiting the rapid change to our digital world
An unprecedented number of unprotected users and devices are now online with one or two people in every home connecting remotely to work through the internet. Simultaneously there are children at home engaged in remote learning and the entire family is engaged in multi-player games, chatting with friends as well as streaming music and video. FortiGuard Labs is observing this perfect storm of opportunity being exploited by cybercriminals as the Threat Report on the Pandemic highlights:
- A surge in phishing attacks: FortiGuard Labs research shows an average of about 600 new phishing campaigns every day. The content is designed to either prey on the fears and concerns of individuals or pretend to provide essential information on the current pandemic. The phishing attacks range from scams related to helping individuals deposit their stimulus for Covid-19 tests, to providing access to Chloroquine and other medicines or medical device, to providing helpdesk support for new teleworkers. In addition to scams targeting adults, some phishing attacks target children with offers of online games and free movies, or even access to credit cards to buy online games or shop online.
- Phishing scams are just the start: While the attacks start with a phishing attack, their end goal is to steal personal information or even target businesses through teleworkers. Majority of the phishing attacks contain malicious payloads – including ransomware, viruses, remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, and even RDP (remote desktop protocol) exploits.
- A Sudden spike in viruses: The first quarter of 2020 has documented a 17% increase in viruses for January, a 52% increase for February, and an alarming 131% increase for March compared to the same period in 2019. The significant rise in viruses is mainly attributed to malicious phishing attachments. Multiple sites that are illegally streaming movies that were still in theatres secretly infect malware to anyone who logs on. Free game, free movie, and the attacker is on your network.
- Risks for IoT devices magnify: As users are all connected to the home network, attackers have multiple avenues of attack that can be exploited targeting devices including computers, tablets, gaming and entertainment systems, and even online IoT devices such as digital cameras, smart appliances – with the ultimate goal of finding a way back into a corporate network and its valuable digital resources.
- Ransomware like attack to disrupt business: If the device of a remote worker can be compromised, it can become a conduit back into the organization’s core network, enabling the spread of malware to other remote workers. The resulting business disruption can be just as effective as ransomware targeting internal network systems for taking a business offline. Since helpdesks are now remote, devices infected with ransomware or a virus can incapacitate workers for days while devices are mailed in for reimaging.
Solutions and countermeasures
Organizations should take measures to protect their remote workers and help them secure their devices and home networks. Cyber social distancing is all about recognizing risks and keeping distance. Isolation is all about segmenting networks and quarantining the malware from spreading across the network. Here are a few critical steps to consider:
Endpoint security: Endpoint security provides a VPN client to ensure that remote traffic remains secure. For organizations looking for an even more robust endpoint security solution a EDR solution provides advanced, real-time threat protection for endpoints both pre and post-infection, in addition to robust antivirus technologies installed at the kernel to detect and prevent malware infection, it can also respond to device breaches in real-time by detecting and defusing potential threats before they have the chance to compromise the system.
Connectivity: VPN connections can be run and managed independently, organizations with large numbers of remote workers may need the addition of an enterprise management server solution. An EMS solution can securely and automatically share information between endpoint and the network, push out software updates, and assign security profiles to endpoints.
Access to cloud applications: Driving all traffic through a VPN tunnel can actually have a doubling impact on network traffic. In addition to all of the remote workers connecting into the network, the network will also need to manage all of the outbound connections to cloud services. However, since this traffic will not be run through the organization’s edge security solutions, these direct connections will require a cloud-based security solution. Cloud access security broker (CASB) will provide visibility, compliance, data security, and threat protection for access to SaaS and other cloud-based services being used by an organization.
Network access control: Cybercriminals intend to exploit this rapid transition to a teleworker strategy by hoping to get overlooked by masquerading as a legitimate corporate end-user or IoT device, or by hijacking a legitimate device. Network access control tools can see and identify everything connected to the network, as well as control those devices and users including dynamic automated responses. Network access control enables IT teams to see every device and user as they join the network, combined with the ability to limit devices access in the network, and automatically react to devices that fall out of policy within seconds.
Network segmentation: Network segmentation ensures that devices, users, workflows, and applications can be isolated to prevent unauthorized access and data loss, as well as to limit exposure if there is a breach at the network perimeter. Next generation Firewall enables segmentation at the network perimeter further this can be enhanced using an internal segmentation Firewall.
Zero-trust network access: The best security posture during this period is to consider that every user and device has already been compromised.
Combining all of the solutions outlined above organizations can ensure that devices and users are limited to access network resources they require to do their job, and nothing more.
Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet – Office of CISO said, “Though organizations have completed the initial phase of transitioning their entire workforce to remote telework and employees are becoming increasingly comfortable with their new reality, CISOs continue to face new challenges presented by maintaining a secure teleworker business model. From redefining their security baseline, or supporting technology enablement for remote workers, to developing detailed policies for employees to have access to data, organizations must be nimble and adapt quickly to overcome these new problems that are arising.”