The year 2020 is one of the greatest tests of resiliency for individuals, organizations, global governments, etc. In the spirit of stress tests that only make you stronger, it’s worth taking a look back at the top security and exploit trends of 2020 to see what we can glean in order to prepare for the upcoming year and beyond.
Here’s an overview of the top security concerns of Megan Orlando, a Sr. Pentester at NetWorks Group, who is also a guest on our roundtable discussion this Thursday – Top Remote Work Exploits of 2020. She’ll discuss these topics and more based on what she’s seen in the past year working on penetration tests for different clients.
COVID Phishing Campaigns
No surprises here as attackers take advantage of the global pandemic anxiety and sense of urgency around COVID-19 in order to launch phishing campaigns that prove to be highly successful.
Most recently, phishing emails were seen leveraging the COVID-19 vaccine rollouts to steal credentials and to distribute malware. They attempt to exploit the news that Pfizer may not be able to supply additional doses of its vaccine to the U.S. until Q2 of next year, according to KnowBe4. The emails provide a link to fill out a form to receive the vaccine – once a user clicks, they’re redirected to a phishing landing page that asks for their email address and password.
According to Threatpost, Intezer researchers found a new malware sample in another COVID-19 campaign. A Microsoft virtual hard drive (VHD) they examined included a phishing PDF file and a sample of Zebrocy malware that collects data about an infected host, then sends the info to an attacker’s command and control server.
IBM also recently discovered a global phishing campaign targeting organizations associated with the COVID-19 vaccine supply chain, specifically, ones that help ensure the vaccine is temperature-controlled during storage and transport. Attackers targeted executives in sales, procurement, IT and finance. They pretended to be a business executive from a Chinese biomedical company working with the United Nations’ cold chain program.
Ransomware continues to hit organizations across different industries – including healthcare, manufacturing and education, using different techniques designed to carefully evade most security software.
In November, U.S. agencies issued an advisory to warn the healthcare industry of targeted Ryuk ransomware attacks infecting hospitals and health systems. Ransomware actors use a variety of tools like Cobalt Strike and Mimikatz to steal credentials and move laterally through your environment. They also use native Windows tools like PowerShell, Windows Management Instrumentation (WMI) and Remote Desktop Protocol (RDP) for lateral movement.
A recent major ransomware attack against electronics manufacturer Foxconn’s North American segment resulted in a ransom request of $34.7 million in Bitcoin. The ransomware actors encrypted 1,200 servers, stole 100 GB of files and deleted 20-30 TB of backups, as reported by CRN.
The FBI and U.S. Cybersecurity Infrastructure and Security Agency issued a security alert last week to caution the K-12 educational sector against an increase of attacks targeting them – 57% of ransomware incidents reported to the agency in August and September involved K-12 schools, up from 28% in the first half of 2020. Ryuk was among the top types of ransomware seen in these incidents.
Remote Work Security
For a fully remote workforce, IT teams turned to virtual private networks (VPNs) to support secure remote connectivity to organizations’ networks and resources. However, that means access security is sometimes overlooked in the process, according to Orlando.
Identity providers offer two-factor authentication (2FA) to add a second layer of security to logins to stop attackers from gaining access to networks and data using stolen VPN credentials.
Meanwhile, endpoint security for remote workers’ devices is a common concern for IT teams as their workforce increasingly uses unmanaged, personal laptops, phones, tablets, etc. to connect to networks as they work from home. The lack of visibility and control over the security posture of those devices can introduce risk to corporate networks in the form of malware, unpatched software, rooted devices and more.
Endpoint detection and response (EDR) solutions can help you gain visibility into indicators of a compromise across devices in order to take action and/or notify users of device security issues.
Cloud Security: Identity-Based Risks
Organizations continue to struggle with the risks presented by stolen usernames and passwords. Attackers use techniques like password spraying, phishing, brute-force attacks and more to gain access to systems, inboxes, applications and more with malicious intent.
Password spraying is when attackers try out a large amount of usernames with a single password, which helps them avoid triggering password lockouts and helps attackers uncover weak passwords targeting specific user accounts.
The move to a remote workforce has translated to a rapid adoption and shift to using cloud-hosted infrastructure and productivity applications like Microsoft Office 365 or Google’s G Suite. Orlando emphasized Microsoft Active Directory (AD) as a point of weakness for organizations, with service account access to authenticate to Office 365 and Azure Active Directory. Many accounts lack proper security, with poor password policies and no 2FA.
Most organizations have Microsoft environments, which makes Windows an attractive target for attackers. In November, the National Security Agency (NSA) issued an advisory on actively exploited Windows vulnerabilities, including the critical Zerologon Netlogon (CVE-2020-1472) affecting Windows Server 2008-2019.
Due to a flaw in the implementation of the Netlogon protocol encryption, an attacker with access to your network could elevate their privileges to domain administrator, and establish a Netlogon secure channel connection to a domain controller. That would allow them to access your entire domain.
How to Protect Against These Exploits
Prevent, detect and respond to these types of attacks with a few key best practices:
- Implement 2FA everywhere – As mentioned previously, prevent identity-based attacks like phishing, brute-force, and the risk of attackers gaining access to your systems and data using only stolen credentials by implementing two-factor authentication across every account, especially VPNs for secure remote access.
- Monitor your environment – Integrate a detection & response platform (like Blumira) broadly across cloud applications, identity providers, endpoint security, Windows servers, productivity applications, etc. to detect exploited vulnerabilities, privilege escalation, password spraying, anomalous logins, the use of hacker tools and more.
- Detect early, prevent ransomware infection – Detecting risks and threats early and often can enable you to respond faster to indicators of an attack that could lead to ransomware infection.