How to protect your organization from coronavirus-related phishing attacks

how-to-protect-your-organization-from-coronavirus-related-phishing-attacks

Emails exploiting COVID-19 have risen, declined, and risen again along with the changes in the pandemic and the shift to remote working, according to the security company GreatHorn.

Image: GreatHorn

Cybercriminals have been all too happy to take advantage of COVID-19 to deploy virus-related malware and cyberattacks. Phishing emails have been one popular method as they’re designed to trap people concerned or anxious about the pandemic. But the focus of these phishing campaigns has shifted as the disease and its side effects have changed over the past few months. A report released on Tuesday by security company GreatHorn illustrates the ebb and flow of these attacks and offers advice on how organizations can fight them.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)  

For its report, GreatHorn tracked the volume of COVID-19-related email phishing attacks from January, when the virus began to surface, until June, when many countries and companies slowly started to resume operations. Beginning with a minimal level in January, the number of attacks jumped by 700% in February before shooting up by 644% in March. But then April saw a 22% decline in these campaigns, followed by further drops in May and June.

The rise and fall in the number of these attacks mimics the flow of the virus, the resulting lockdown, and the transition to remote working. As employees adjusted to working from home, attacks aimed directly at organizations and offices became less successful, prompting phishers to modify their tactics.

Now that many businesses are starting to bring workers back into the office, GreatHorn is finding a new wave of virus-related campaigns designed to exploit this shift.

In one particular attack also observed by Check Point Research, phishing emails try to entice returning workers with a subject line of “Mandatory Covid-19 Assessment for Employees.” Using a Microsoft Office 365 logo, the emails claim to contain a voicemail alert with a button prompting recipients to click it to listen to the message. That button actually leads people to a malicious website that attempts to capture their Microsoft credentials.

Image: GreatHorn

To combat this type of malware, security professionals typically take the initial step of developing policies on specific phishing campaigns. But they often fail to refine those policies based on the variables in each new and related attack, according to GreatHorn. To remove all related phishing emails, security pros should look for any emails with the malicious URL, not just any one specific phishing attack.

SEE: The new normal: What work will look like post-pandemic (TechRepublic Premium)

Finally, GreatHorn offers the following tips to help organizations protect themselves from these types of phishing campaigns:

  1. Mass remediate and create email security policies in real time. Once you detect phishing attacks, identify and remove the emails across your organization. Develop a policy to mitigate subsequent attacks as well.
  2. Investigate and detect similar phishing attacks in real time. Search your organization’s emails beyond the initially detected phishing attacks based on the malicious variables (e.g. domains, sender, etc.) to mass remediate and further refine email security policies.
  3. Understand the context specific to the user and organization. Is the name in the email someone with whom the user has communicated in the past? If so, do the email address and email domain match those prior communications? If not, the message should be treated with suspicion. If the metadata in a message doesn’t match normal correspondence, it may not be legitimate.

http://www.techrepublic.com/

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see

How to protect your remote desktop environment from brute force attacks

how-to-protect-your-remote-desktop-environment-from-brute-force-attacks

An RDP compromise provides a cybercriminal with a backdoor for ransomware and other types of malware, says security provider ESET.

cyberattack.jpg

The coronavirus lockdown has prompted a host of organizations to require their staffers to work from home. But many of those employees still need to remotely access computers in the office, which has triggered an increase in the use of programs that rely on Microsoft’s Remote Desktop Protocol (RDP). Of course, cybercriminals have pounced on this transition, which is why RDP is more exploitable than ever. A report published on Monday by ESET discusses how attackers take advantage of RDP and what organizations can do to combat them.

SEE: How to work from home: IT pro’s guidebook to telecommuting and remote work (TechRepublic Premium) 

Though Remote Desktop Protocol can be enough of a security risk on its own, organizations often compound the vulnerabilities by failing to properly secure RDP accounts and services. Accounts with RDP privileges may have a weak password or no additional layers of security. Those flaws open the door for brute force attacks in which cybercriminals use automated tools to obtain the account password. If successful, the attackers can then invade a network, elevate their rights with administrative access, disable security products, and even run ransomware to encrypt critical data and hold it hostage.

However, ransomware and extortion aren’t the only types of attacks that can follow an RDP compromise, according to ESET. Often, attackers will try to install coin-mining malware or even create a backdoor, which can be then used if their unauthorized RDP access is ever identified and shut down.

Other actions performed by attackers following an RDP breach include clearing out log files to remove evidence of their activity, installing tools and malware on compromised machines, disabling or deleting scheduled backups, and exfiltrating data from the server.

ESET has seen a rise this year in reported RDP attacks from among its customers. From just under 30,000 reported attacks per day in December 2019, the volume has been hovering around 100,000 since April 2020.

Trend of RDP attack attempts against unique clients per day detected by ESET.

Image: ESET

“RDP has been a popular attack vector for many years now, but this has increased even more ever since IT teams had to accommodate a remote workforce due to COVID-19,” said Javvad Malik, security awareness advocate for KnowBe4.

“In an attempt to keep the show on the road, many IT teams would have enabled RDP in addition to relaxing security controls in order to allow employees to work unhindered from home,” Malik said. “However, this all accumulates as technical debt, one that the criminals are well aware of, and which would lead them to increase their attacks.”

How can organizations better guard against RDP compromises through brute force attacks? One key effort starts with the password itself.

“Enforcing password discipline where users must choose complex passwords with uppercase, lowercase, numeric, and special characters, with a minimum length greater than 14 characters, makes a brute-force attack much more complicated,” said Gurucul CEO Saryu Nayyar. “Fifteen characters is a minimum to withstand rainbow table attacks, with longer passwords giving much greater security.

But even strong passwords should be backed up by such tools as multifactor authentication and security analytics.

“Multifactor authentication can also greatly reduce the risk from brute-force attacks, whether it is provided through an application or a physical access key,” Nayyar said. “Advanced security analytics can help identify a brute-force attack before an account is compromised by identifying the behaviors associated with this attack vector, automatically blocking access at the infrastructure or account level.”

User training is one more important factor to add to your cyber defense strategy.

“It’s worth bearing in mind though, that even when these security controls are put in place, criminals can still get in by social engineering the users,” Malik said. “Especially during this time where many are working remotely from home, it has become easier for criminals to masquerade as the IT help desk to either phish credentials, or persuade users to download malicious files, which is why security awareness and training should also form a critical component of any layered defensive strategy.”

Finally, ESET offers several tips for effectively configuring and securing your remote access accounts and services:

  • Disable internet-facing RDP. If that’s not possible, minimize the number of users allowed to connect directly to the organization’s servers over the internet.
  • Require strong and complex passwords for all accounts that can be logged into via RDP.
  • Use an additional layer of authentication (MFA/2FA).
  • Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
  • At the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port.
  • Protect your endpoint security software from tampering or uninstallation by password-protecting its settings.
  • Isolate any insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible.
  • Apply all of these best practices to FTP, SMB, SSH, SQL, TeamViewer, VNC, and other services as well.
  • Set up your RDP correctly using the advice shared in this ESET report from December 2019.

http://www.techrepublic.com/

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see

How to protect your organization’s domain from security threats

how-to-protect-your-organization’s-domain-from-security-threats

Unlocked domains are susceptible to malicious tactics that can lead to unauthorized DNS changes and domain name hijacking, says CSC.

Image: Getty Images/iStockphoto

Your organization’s public-facing domain is often as important and critical a resource as are your internal files, data, and network. And just as you protect your internal infrastructure from cyberthreats, so too do you need to protect your domain. A report released Tuesday by domain security provider CSC highlights some of the security threats that can affect your domain and what you can do to fight them.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic) 

Registry locks

Analyzing the domain security practices of companies across the Forbes Global 2000, CSC found that only 17% of organizations use registry locks to prevent domain name hijacking and unauthorized changes to their DNS. Without a lock, such threats could take a website offline or redirect users to malicious content. Many domains may be unlocked as not every domain registrar offers this service.

But a registrar lock alone may not be sufficient. In one example cited by CSC, a security expert lost his core domain to scammers. Even though the domain owner had a lock, the registrar succumbed to a scam and transferred his domain to another registrar. To protect against this action, the owner should have insisted on a registry lock that prevents domain transfers initiated by the registrars.

DNS hosting

Only 20% of the global 2000 companies use enterprise-grade DNS hosting. Using a non-enterprise DNS host without redundancy can lead to potential security threats such as distributed denial of service (DDoS) attacks. If your DNS goes down, then your websites, email, remote employee access, and other services go down as well.

SEE: How some presidential campaigns use DMARC to protect their domains from being spoofed (TechRepublic)

DNSSEC

One measure that can defend against DNS-related attacks is DNSSEC (Domain Name System Security Extensions), which authenticates and secures communications between different DNS servers. Only 3% of the companies in the Forbes Global 2000 use DNSSEC, according to CSC. Yet the lack of this security measure can help attackers hijack elements of the DNS lookup process, allowing them to control a browsing session and redirect users to malicious websites.

CAA records

A
certificate authority authorization
(CAA) record determines which certificate authorities (CAs) are authorized to issue a certificate for a specific domain name. A CAA provides protection for your domain as it ensures that only your chosen CA can issue certificates. However, just 4% of the Global 2000 companies analyzed by CSC have adopted CAA records. The risk here is that an attacker who is able to access a domain name can always arrange for a new certificate to be issued without your knowledge.

SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)

Email authentication

Spoofing an email to make it look like it was sent from a legitimate source is an easy enough task. One way to protect against such spoofs is through DMARC (Domain-based Message Authentication, Reporting & Conformance), which verifies that email messages are being sent from the correct domain. However, only 39% of the Global 2000 companies currently use DMARC. Without this type of protection, an organization’s email domain could be used for email spoofing, phishing scams, and other crimes.

To help your organization improve its domain security measures, CSC suggests the following steps:

  1. Incorporate secure domain, DNS, and digital certificate practices into your overall cyber security posture.
  2. Use a defense in-depth strategy to secure your domains, DNS, and digital certificates. As part of this strategy, select an enterprise-class provider though which you can secure access to your domain and DNS management systems (two-factor authentication, IP validation, federated ID), control user permissions, and leverage advanced domain security features.
  3. Consolidate your domain, DNS, and digital certificate providers into one enterprise-class provider.
  4. Proactively identify, understand, and employ the appropriate security measures for your vital domain names through an enterprise-class provider. Choose a provider that offers continuous vital domain name identification, registry lock, DNSSEC, and DMARC.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see