Unsurprisingly, cybercriminals have evolved their tactics to better exploit the home-based work environments most organizations have moved to during the pandemic. The result has been changes like more (and more expensive) ransomware, increasing targeting of Microsoft Office files by cybercriminals, and increased use of non-standard ports for attacks.
Today, SonicWall is announcing the mid-year update to the 2020 SonicWall Cyber Threat Report. It provides SonicWall’s fullest assessment to date of the changes in the cybersecurity landscape created by the COVID-19 pandemic. It finds the changes in tactics to be significant, with most being specifically related to attempts to exploit the new environment.
“This is the brave new business norm we are all living in,” said SonicWall CEO Bill Conner. “The cyber landscape is quickly pivoting.”
The new landscape is dominated by the Work From Home environment where enterprises as well as smaller businesses tried to turn hundreds of thousands of workers into remote workers quickly.
“Most businesses, ourselves included, had the distributed enterprise going before,” Conner noted. “What COVID did was jettison us 2-5 years ahead – and if you were bigger, faster than that. It is the new business norm. Most of the businesses we talk to are truly rearchitecting their businesses.”
Conner said that this rearchitecting was necessary with many businesses going from 20-40% of employees being remote to close to 100% remote. SonicWall themselves has only two of their offices around the world open today, both in Asia.
One of the results of this rearchitecting noted in the report was a 24% drop in malware attacks worldwide – a data point that Conner indicated sounds good, but which actually gives a false impression of what is happening.
“Malware is down globally but that’s a little bit misleading because malware isn’t coming into the traditional enterprise now,” he said. “You can’t track it as easily in the home or on devices. It has also become more focused instead of the old broad shotgun blast.”
More problematic, Conner noted, is that the decline of malware has been paralleled by a rise of ransomware in the U.S. and globally. Globally, it was up 20%, with a 109% jump in the U.S. It has also become much more dangerous – and expensive.
“COVID is creating an economic crisis around the world, and as countries have become financially strapped, its too easy for state actors to target companies with increased ransom demands,” Conner said. “Ransoms have gone from tens of thousands of dollars to a million dollars. A California university got a million dollar ransomware demand. Now they are going after hospitals. You will continue to see that morph. Education health care and government are the target-rich environments.”
19% of ransomware attacks were specifically tied to COVID spear phishing.
“Spear phishing got easier with people moving home,” Conner said. “It becomes more effective and efficient because its easier to get in, and they are way more strategic in their targets.”
SonicWall expects this ransomware trend to increase. Conner noted that ransomware was actually down in some European geos, as crooks focused on the U.S. market, but that that trend won’t last, and they expect European ransomware numbers to go up a lot.
Dmitriy Ayrapetov, SonicWall’s VP of Platform Architecture, noted that while ransomware gets a lot of attention, business email compromise is more dangerous in terms of the amount of money that is stolen, and that the move to home-based environments has made it worse.
“Business email compromise is a more insidious attack, with confusion sown by people working at home,” he said. “It’s because it’s a new environment, so its harder to tell what’s not normal. We saw an example in our own company where one of our sales directors got an ‘attachment for review’ with Bill’s name on it. Business email compromise is more dangerous, because it directly costs millions of dollars. Spear phishing just leads to a breach.”
Another impact of Work From Home was a 176% increase in malicious Microsoft Office file types.
“Malicious Office files have now overtaken PDFs,” Conner said. “They have become so much more prevalent, with increased use of Office in home environments. We expect that nation states will leverage Office attacks further for both IP and monetary gain.”
SonicWall also expects to see a new wave of attacks on Adobe PDFs.
“Adobe has done a good job of catching up to bad guys, but PDF still has an architectural wonderland to take advantage of,” Conner said. “People will come up with new cocktails for this. Right now, the Office wave is huge but as they tighten up, the wave will back shift to PDF. And the PDF numbers are still pretty big now.”
23% of malware attacks also leveraged non-standard ports, another trend likely to increase in Work From Home environments.
“When you protect a non-standard port, it’s labour intensive, with firewall costs up, and performance down,” Conner commented. “The last two quarters were the largest growth here that we have seen in three years. We have been asking all 21,000 of our partners globally how many know what a non-standard port is and if they have them covered. Most know what they are, but don’t always know if they are covered. These ports are ripe for the picking.”
IoT malware attacks rose 50%, and a logical conclusion would be that attackers are targeting home-based OT systems connected to the network to get in the easiest way. That’s not the case, however – not yet anyway.
“The IoT attacks are mainly on business systems – office automation in the enterprise, so Honeywell systems, as opposed to home automation,” Conner indicated.
The key challenge for organizations responding to these changes in the landscape is how to recreate the layered defense strategy they built for the office environment in the very different distributed one.
“It’s a big worry for enterprises with remote workers,” Conner said. “How do they segment those workers and their home networks. They built layers of defense into the business. Now they need to figure out what layers they need in offices at home.”
Conner outlined SonicWall’s view of best practices for building layered defenses in the home.
“You need next-gen endpoint protection on the laptop,” he said. “You then need a capability to deal with cloud app security, as more legacy applications go to cloud apps. Most enterprises don’t understand the degree of risk there. We are highly recommending cloud app security. That’s a second layer. The third layer is the access part – secure mobile access – SSL/VPN. And then after that, it’s dependent on how much security you need. I beefed up my firewall, and I have nine cameras set up. And then you have to bring all of this back into a single pane of glass for the business.”
Conner noted that a problem in setting up home-based security is that the increased demand means that the person who does the home-based installs is less likely to be a trained security specialist.
“It’s not security guys who do SMB who are doing much of that today,” he said. “It’s less knowledgeable people.