In Munich, Germany the teenage daughter of the CEO of a major law firm was using her father’s corporate laptop when she stumbled on an advertisement for a free IQ test.
Curious about the test, she downloaded the software in the ad unaware it contained a potent trojan horse virus. Once downloaded, the virus immediately drained the computer of all work-related documents and tried to use its remote connection to the corporate network to infect other PCs in it.
While the damage was fortunately discovered and limited to the laptop (which needed a replacement), the potential breach could have been a devastating blow for the firm. And this is only one of the few close-calls we hear about. According to experts, the sudden switch to remote work has opened up countless vulnerabilities in corporate cybersecurity.
“Hastily implemented remote access solutions pose a great risk [to organizations]. Faulty configurations are highly likely when rolling out remote infrastructure under time pressure. Infringements and attacks are foreseen to rise significantly. It is usually only a question of when these infrastructures get attacked”, said cybersecurity experts Thomas Koehler, Paolo Cervini, and Jonas Vetter in a 2020 Op-ed on the London School of Economics’ website.
In the face of the 2020 Covid crisis, we steamrolled headfirst into remote work. Many companies, especially startups and SMEs, using little more than simple cloud services, Gmail accounts, and personal laptops to transact and send data.
However, it has become painfully clear that many of these switches were made without a clear idea of how they might affect the security of company data. And there may be consequences on the horizon if steps are not taken by companies of all sizes to shore up their data.
Why do more companies need to be concerned about cybersecurity threats today?
Today hacks aren’t limited to giant, coordinated attacks on major corporations. With so many small companies forming around the world in regions with varying regulatory environments for cybercrime and IP theft, corporate espionage has never been easier or more appealing. And small-to-medium-sized enterprises (SME’s) are a prime target.
“Our always-interconnected world is a low-risk environment for gaining information about competitors’ plans. We have seen reputable western companies crossing the line, outrightly spying on competitors, especially in economically challenging times. While in the past trade secrets of other companies were difficult or dangerous to obtain – it is now almost as easy as sneaking through a half-closed door.” -Koehler, Cervini, Vetter 2020
How are cyberattacks happening today?
In previous eras, large companies with large amounts of data online kept their information strictly within their own servers and usually communicated solely through phone and email. Hackers would need to do their research to break into these systems which generally required gaining access to key terminals within an office.
Ironically, with a growing number of apps businesses rely on for communication today, hackers actually have a steadily shrinking list of third-party cloud providers they need to exploit to gain access to the data of thousands of companies.
Most of the ways hackers can access company data are already well known. Called zero-day vulnerabilities, these are vulnerabilities that have been discovered in popular programs and applications by cybersecurity researchers but have yet to be patched by the company that runs them. They are exceptionally dangerous because once hackers learn about them, they tend to pile in to exploit the holes before they are patched.
A 2021 report from Tenable research reported that just in the summer of 2020, 547 zero-day vulnerabilities of the most critical level were reported in major softwares like Citrix, Google Chrome, Apple, and Oracle. Just to name a few. Here are some of the most common types seen today.
The same report from Tenable research also shows some of the most prominent vulnerabilities exploited in 2020 were VPN flaws, specifically:
- Fortinet FortiOS SSL VPN Web Portal Information Disclosure
- Arbitrary File Disclosure in Pulse Connect Secure
- Citrix Application Delivery Controller (ADC) and Gateway
Without getting too technical, these three vulnerabilities are all variations of something called directory transversal flaws. These flaws allow an attacker to use the VPN connection to access files outside of the parent folder they gain access to. All an attacker needs to do is send a specially crafted request containing a directory traversal string (e.g. “../../”) to vulnerable endpoints in the code and then they are free to roam other company files.
These VPN flaws aren’t new either. Many have been around for the past decade or two. Today with entire offices moving online and working with them, IT departments need to be aware of other vulnerabilities that can occur when too many entities are using the bandwidth. They also need to be sure to stay on top of patching their VPNs.
Remote Desktop Protocol (RDP) vulnerabilities
RDP is a system that lets you access another desktop (usually your work computer or work-related servers) remotely from another computer. It is included in every Windows operating system release. While disabled by default, its convenience leads many organizations to enable it. However, it has a ton of vulnerabilities.
According to a report from the cybersecurity research institute, Coveware, RDP remains one of the most popular attack points for ransomware groups such as Sodinokibi, Maze, and Phobos. This is because of how easy it is to hold company files hostage after gaining access.
Referring back to Tenable’s report, over 46 percent of the breaches in the healthcare sector were caused by ransomware attacks. This is where a hacker holds an organization’s data or operational power hostage in exchange for a fee.
Some of the rises in ransomware are speculated to be due to the rise in cryptocurrency making it easier for hackers to receive funds untraceable. However, as a recent Bitcoin seizure by the US Department of Justice from a recent ransomware attack indicates, this may not be a viable payment route for hackers in the future. The US DOJ has even mentioned that they may take legal action against companies that make ransom payments to ransomware attackers.
But back to RDP.
RDP reportedly boasts 4.5 million internet-facing systems with the Remote Desktop TCP port 3389 open. That means 4.5 million easy access points to password-protected portals to company data. And all that stands between them and precious company files is one flimsy passcode.
Hackers often can gain access to RDP password portals easily enough through brute force attacks. That means plugging as many different login credentials as they can think of into the system until one works. They may also be able to gain access to login credentials through the online black market. If those fail there are a couple of other major exploits they can take advantage of as well including denial of service and information disclosure.
New conferencing app vulnerabilities
Suddenly, most companies are using online communication tools like Zoom, Microsoft Teams, Google Hangouts, Cisco Webex, or VoIP to communicate remotely.
While these apps provide timely and needed services for businesses working remotely they create new pressure points for companies. Any new app incorporated leaves important data in the hands of 3rd-party entities and their own vulnerabilities. In turn, many of these apps were not fully prepared for the volume of users flooding their servers all at once.
This has created many data security issues behind the scenes as hackers have piled in to find exploits in the most popular services.
Malware and phishing
COVID saw a monumental wave of reported malware and phishing attacks sent through email. Many claim to be for COVID relief.
For example, in August of 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory about a phishing scheme impersonating the Small Business Administration’s (SBA) COVID-19 loan relief program. The SBA program was designed for businesses struggling during COVID-19 to be able to seek out debt relief and apply for loans. Instead, when they clicked this email they would download a trojan virus to their computer.
These are just a select few attacks that came about because of COVID, there are still many tried and true phishing scams. A very common method is simply breaking into networks by impersonating employee email addresses down to one or two misplaced characters. These have been a scourge to IT departments worldwide.
Four types of trojan malware that were particularly popular in 2020 included:
- Emotet, is a well-known banking trojan used for many large ransomware attacks.
- The AZORult trojan uses a Microsoft Office memory corruption vulnerability. It’s one of the most well-known vulnerabilities for malicious emails.
- The Nanocore remote access trojan gives attackers access to keystrokes and webcam feeds and lets them download and execute files.
- Trickbot, is another banking trojan often used by ransomware gangs.
What are companies doing to prevent cyberattacks?
Patching patching patching
Many vulnerabilities, specifically those from VPNs come from forgetting to patch infrastructure. Patching is an annoying but necessary component to keeping systems like servers running smoothly and exploit-free. With an increasing number of employees working from home, it can be inconvenient to patch as it may limit bandwidth. IT departments need to be strategic about when they perform patches so as not to disrupt workflow.
Encouraging stronger passcodes
We’ve all gotten annoyed at a website telling us passcodes are too weak. But these stronger passwords are meant to better protect accounts from the brute force attacks mentioned above.
Companies are also increasingly making employees log in through two-factor authentication methods (2FA). While it can be annoying to have to whip out your phone every time you want to access company files, it’s much harder for a hacker to break into two devices to access one account.
Besides being a key component of effective remote communication, limiting the number of apps your organization communicates through is a best practice for cybersecurity.
Every extra app added to your company’s communication repertoire is another potential route by which company information can be compromised. Make it clear all company video calls are done through Zoom as opposed to Gmail or Skype. Clearly define which portals important documents are allowed to be sent through and outline exactly what constitutes an important document.
Staff at every company should have a good handle on basic cybersecurity practices as online data continues to creep into every part of day-to-day life and company IP creeps onto personal devices. Staff should know some of the telltale signs of phishing scams on email and how to know whether a website or downloadable item is safe.
How to kickstart fighting cybersecurity threats as an SME
As an SME, you probably are unsure about hiring a full-time cybersecurity professional onto your staff immediately. It’s a big commitment – you’re focusing on getting a product off the ground and only have a budget for absolutely necessary positions.
But there are alternatives you can use to begin building a cybersecurity presence. One increasingly popular one is hiring remote interns from Digital Skills Academies.
An IT security intern from a Digital Skills Academy (DSA) can quickly get your IT infrastructure up and fight against cyberattacks without a huge time or salary commitment. At Virtual Internships, we partner with top DSA’s around the world to bring skilled cybersecurity professionals to SMEs that need them.
Over the course of 3 months, a cybersecurity DSA intern can help your organization:
- Set and implement user access controls and identity and access management systems
- Monitor network and application performance to identify irregular activity
- Perform regular audits to ensure security practices are compliant
- Deploy endpoint detection and prevention tools to thwart malicious hacks
- Set up patch management systems to update applications automatically
- Implement comprehensive vulnerability management systems across all assets on-premises and in the cloud
- Work with IT operations to set up a shared disaster recovery/business continuity plan
- Work with HR and/or team leads to educate employees on how to identify suspicious activity
Better yet DSA programs are often government-funded as a way to give their population hands-on experience, so there are no fees or costs involved for your organization.
Want to learn more about hiring a DSA cybersecurity intern to get your organization protected? Visit our website and leave us an email. We’d be happy to talk with you further.