How the security landscape has darkened under the Covid cloud

clock • 6 min read
How the security landscape has darkened under the Covid cloud

Since the pandemic struck, the porous and dispersed nature of most organisations has created countless opportunities for cybercriminals to exploit.

Some are the opportunistic hackers and trouble-makers of popular lore. But others are organised criminals whose primary aims are financial gain - from theft, phishing, or ransomware - and disruption to specific businesses or markets.

In the economic crisis caused by this healthcare catastrophe, some organisations might feel more inclined to pay ransoms than to have their critical systems or data frozen. Criminals know this. And they know that stress, panic, and fatigue can make people careless and more susceptible to well-designed phishing techniques.

Organised criminals are also using the fact that the crisis has widened the perimeter of corporate networks to exploit new security blindspots - in some cases due to insecure home wifi systems or smart-home devices that have known or guessable passwords.

But others are using the fear and confusion caused by the pandemic to create new types of fraud, ransomware, or social engineering attack.

Some of these play on people's worries, finances, and healthcare concerns: fake vaccine notices from healthcare providers, for example, or demands for users to re-enter login or account data as extra authentication in the crisis.

Small problems can spread

All employees should beware of falling for these tricks. For the enterprise, any compromised home networks could rapidly become compromised corporate systems, if the breach is in the form of malicious code or login details have been published on hacker forums.

Other risks are more subtle and perhaps harder for IT leaders to tackle. These might include troublemakers in the employee's home - family members gaining access to sensitive data by accident, for amusement, or out of curiosity because devices have been left unattended. Beware of errant teenagers!

The remedial challenge is made more difficult by IT teams themselves being more dispersed and remote. For this reason (to quote an old government campaign) we really should stay alert.

On that point, one thing is certain: while home working, cloud adoption, flexible workflows, and mobility have all experienced a dramatic acceleration during the crisis, this was no overnight transformation into an unprecedented world.

The security challenges associated with remote working should have been on the radar of every IT team, even if the precise circumstances of this crisis may not have been planned for.

What was new in 2020 was that the risk of doing nothing to enable remote collaboration suddenly became much greater than the risk of deploying unfamiliar technologies. As a result, even firms with extensive on-premise tech legacies have had to shift essential workflows into the cloud.

Be a gang buster

But for some organisations, the organised external threats are most dangerous. According to Computing research, criminals are increasingly ramping up the payback they demand from breaches. Indeed, many of the most successful cyber-attacks are now launched by organised collectives, whose services are available to the highest bidder.

A recent Computing research paper reveals that criminal gangs have been identified that are not only holding data to ransom, but also using it to blackmail their victims. More than one in 10 of the 150 IT leaders questioned in the research have been affected by such a group, or know someone who has.

A further 11 percent preferred not to say if they have been hit by this type of crime - a likely indication that they are aware of breaches, possibly at first hand. If true, then as many as one-fifth of organisations may have fallen victim to such attacks.

All it takes is one careless employee or one insecure device.

One of the first criminal groups to be observed operating this way was the Maze Cartel. Maze posts proof of stolen data on its website, and threatens to release the full dataset if the victim fails to comply with their demands.

Its infamy appears to have spread. Computing's survey found that 75 percent of IT leaders have heard of the group, 11 percent have been hit by a Maze attack, and 14 percent know other organisations that have. That is significantly more than the numbers reporting attacks when asked the more general question, above.

The cartel's website is a sophisticated platform, where victims can negotiate and pay ransoms via a fully featured support system. This alone is evidence that criminals are becoming more confident and professional; they are no longer secreted on the Dark Web, but hiding in plain sight and demanding cash via enterprise-grade tools.

Though some groups appear to honour their commitments to return stolen data, it is important for victims to analyse their networks after any breach to ensure, first, that there is no possibility of a repeat performance; and, second, that no malicious code has been planted in the system. It is unwise to trust that there is honour among professional cyber thieves.

Ragnar Locker is another criminal group. It too hosts a ‘wall of shame', where it names companies that have been successfully breached. In this way an attack becomes a double whammy for its victims. First comes the financial, technical, and operational hit; then second, the lasting damage to reputation.

The latter may dissuade some customers from doing business with a company that has failed to secure its systems and/or data. Again, criminals know this; it is what gives them leverage in the court of pubic opinion.

Computing research found that 72 percent of IT leaders are aware of this group, 12 percent have been hit by them, and 16 percent know of people or organisations that have. Similar figures apply to half a dozen different groups (see the white paper for more on this).

Other international groups offer ransomware-as-a-service, renting out their platforms to threat actors. Always remember: cybercrime is international, highly networked, and profitable.

Conclusions

In the physical world, theft is often opportunistic rather than planned or targeted. But in the digital realm, cybercriminals take more time to map organisations, understand businesses, exfiltrate sensitive data, and execute attacks as professionally as possible. In this way, they maximise their chances of profit.

This growing professionalism - and confidence - should trouble every CIO and CISO, as it shows a clear direction of travel. In other words, these issues can only get worse until organisations shape up and address the dangers.

After all, for many organisations being seen to be attacked is as serious as the attack itself. So be realistic about the risks, understand the issues, ensure your security procedures are known and followed, and find ways to manage your team in a dispersed, home-working world.

More on Careers and Skills

Have a plan for recovery, and then have a backup plan for when the first falls through

Identify your "vital ground" or your cyber effort is wasted

And the road to recovery is to plan, plan and plan again

Tom Allen
clock 16 June 2022 • 3 min read
Cyber weapons are fast, cheap, remote and hard to trace

In modern war, we have as much to fear from cyber weapons as kinetics

The physical world is past the point of no return when it comes to dependence on technology, says Ian Hill

Tom Allen
clock 16 June 2022 • 3 min read
Ransomware gang deploys BlackCat to attack hotel and creates searchable website of hacked data

Ransomware gang deploys BlackCat to attack hotel and creates searchable website of hacked data

Cyber-criminal groups have recently ramped up their use of Ransomware-as-a-Service (RaaS) BlackCat/ALPHA-V, first identified by security researchers in November 2021, and upped the ante by publishing the hacked data on a dedicated website.

clock 15 June 2022 • 1 min read