The security team for a large organization is worried about attackers taking advantage of the uncertainty surrounding the COVID-19 epidemic. Specifically, the team asks:
- Which technologies and procedures are most vulnerable to attacks looking to exploit everyone's COVID-19 distraction?
It opens new avenues for social engineering, especially with a lot of new work-from-home employees. For example, an attacker could contact support and say, "Hey, I haven't got my setup here working and I have a virtual meeting in 15 minutes. What do I need to do to get onto the corporate VPN?”
I just coughed my way into an office. Physical attacks are far easier than ever.
Phishing attacks, leveraging COVID-19 related pretexts are big. For procedures, anything that requires a two-person approval or things like key segmentation are at risk of social bypass.
I'm not sure these fit, but I strongly suspect we will see a spike in people using things like LogMeIn and publicly exposed Remote Desktop Protocol (RDP) so they can work from home more easily – mostly in less-structured, less-prepared firms.
Taken a bit more broadly, VPN is a big vulnerability due to rapid expansion of VPN servers perhaps secured with less care.
I agree, rapid changes to accommodate remote access will create problems. Also, expect social attacks on helpdesks to kick up, too.
In addition, there will almost certainly be another "catastrophic" vulnerability dropped during this time period, so everyone should have plans for how to respond.
Attacks against online storefronts, payments and cards – particularly carding. With everyone going nuts buying, behavioral fraud filtering is useless and carding within a geographic area will be fruitful. ATM attacks will be as well.
Two-factor authentication can also be compromised through operational attacks. Expect advanced persistent threat (APT) groups to start hitting high-value targets with ransomware and denial-of-service (DoS) attacks, since people need access more than ever.
Also, expect to see online gaming and gift card scams. There are lots of vectors here, but spam campaigns selling codes or compromising of accounts should be expected. Remember, everyone’s kids are home and they’re probably online.
In addition, pump-and-dump stock schemes will definitely thrive, as will “magic cure” scams.
On the tech side, email attacks are bad enough now that the Department of Homeland Security (DHS) has issued warnings about them. Also, several companies I work with have begun publishing applications through firewalls due to VPN overload.
On the procedures side, banks are creating exceptions to their wire transfer rules because people are stuck overseas due to travel restrictions.
Anything that breaks a currently defined procedure as an exception. Things that don't follow strict change management, including documentation, will create vulnerabilities not just now, but after this passes because no one will remember to go fill the holes they made in the name of emergency.
If I were an attacker, I'd do two things:
- Target staff supporting remote access. Support staffers are getting tons of calls for troubleshooting with users and I'd expect that to lead to issues.
- Target workers having difficulties working remotely. In particular, I expect attackers to use Team Viewer and LogMeIn Rescue to provide "remote troubleshooting assistance" for employees.
As for technologies, consider the remote access technologies currently being used by your organization and let users know the specific remote support technologies that will be used if needed (e.g., telling employees you will only use TeamViewer can stop them from being tricked into running LogMeIn Rescue on behalf of an attacker).
Targeting remote workers is the easier of the two and the thing I'd do first as an attacker. However, I would start targeting attacks on support personnel as soon as I could put together an attack plan and infrastructure (which most attackers will likely have in place before the end of the week).
COVID-19 Phishing Examples and Guidance, March 17, 2020
COVID-19 and the Cloud: Enabling Remote Work and Business as Usual, March 11, 2020
Best Practices for Detecting and Preventing BEC Attacks, Feb. 26, 2020
Protect Vendor/Supplier Transactions and Payments, May 14, 2018
Top 10 Threats Facing Small Businesses, Sept. 9, 2019
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.