Organizations of all sizes are being impacted on a day by day basis by the policies required to fight Covid-19. Security is a human challenge that requires an understanding of the drivers that people face. This is the second post in a series that looks at the people impacted by the current crisis, their priorities and the impact on their lives which can impact the security of the organizations they work for.
One of the most common questions asked by our customers, and employees working with customers, is how the current events of the COVID-19 pandemic and the dramatic increase in remote work-from-home situations as nations work to contain and manage the outbreak affect the threat landscape and attacks.
Through one lens, the number of attacks and risk to businesses has largely stayed the same. Attackers have always leveraged global and national events for their own advantage and those attacks are coming from the same pool of people. The underlying message here is important: It is business as usual for the attackers. The individuals attacking businesses and individuals have always ‘”worked from home”.
The current climate of confusion, change and distraction is providing an ideal time to strike and, in contrast to most of the people impacted, the current situation presents only an opportunity for cybercriminals. Attackers are switching focus to end-user attacks, malware and ransomware, to capitalize on users being alone and their IT teams being swamped with unusual situations.
Naturally, COVID-19 is now prevalent as a topic across many phishing campaigns, even nation states actors are doing this. One email went viral and caused civil problems. Attackers are very aware that their targets’ situations have changed. Business users’ systems are now located on less-secure home networks in huge numbers. It wasn’t too long ago that news stories were coming out about the majority of home routers being hacked or having significant weaknesses, so it’s no surprise that attackers are targeting routers. In one example, attackers changed DNS settings to point to their own servers, routing victims to a fake notice with a “COVID-19 Info” malware download.
In some interesting developments certain malicious actors have “promised” to avoid causing issues to medical facilities and healthcare providers. Notably, DoppelPaymer and Maze—two prominent families of ransomware—have agreed to this commitment. Unfortunately, there is no cybercriminals union or hierarchy of leadership, so that doesn’t mean that other attackers won’t slither in to fill the void.
Alert Logic’s own data shows that there has been no reduction in the frequency or amount of attacks hitting our customers. Thankfully, our business continuity planning and purpose-built SOC (security operations center) tooling have allowed us to continue our own ”business as usual” approach to managed detection and response (MDR) and to keep taking the fight to the attackers, protecting our customers.