A report has shown that the Coronavirus lock-down has now caused hackers to target newly remote workers as a way into corporate networks.
The Coronavirus lock-down has now seen the total number of compromised organisations across Europe & the US nearly to quadruple, as more & more employees begin to work from their homes.
Finland
Figures released by Arctic Security, which is based in Finland, show a stark increase in compromised networks by nearly 300% in 9 European countries, & also in the US. This totally reflects the timing of the ‘stay at home’ orders & the newly remote working workforce.
It was discovered that the number of compromised networks was under 4,000 in Jan. but then it increased to over 12,000 by Mar. Italy, it seems, had the largest number of compromised networks in Jan. & February, but this was later totally overtaken by the UK in Mar. because the lock-down came into force there.
Team Cymru
Arctic used the network-level data that came from the US-based ‘Team Cymru’ in order to produce this study, & said that the increases have obviously taken place, in part, because of the increase in staff remotely working, & using VPNs in order to connect with their own organisations’ networks.
“One cannot say with certainty what causes organisations to get compromised while most workers are working from home. However, it seems that the connections normally blocked by on-premises security solutions do not work as well, when people are using a VPN to connect into their employers’ networks. When employees are in the office, it seems as though the corporate firewalls function like dams blocking malware-infected machines trying to connect out to the Internet either for command & control or to further compromise other vulnerable machines on the Internet,” the report went on to say.
Digging a Ditch
“However, when you rely on a VPN, it’s like digging a ditch to the side of that dam,” cautioned Lari Huttunen, who is a Senior Analyst at Arctic Security.
Faiz Shuja, Co-Founder\CEO SIRP Labs explained that, to carry the analogy further, as the ‘tsunami’ of security threats increases, new tools will then be needed in order to manage the fast-rising volume of alert data.
SOAR
“Many SOC teams rely on Security Orchestration and Response (SOAR) platforms to provide them with actionable information. However, these tools often fall short by failing to incorporate sufficient threat intelligence & context tied to the organisation’s risk. What they are asking for is something that gives them a clear view of the nature and severity of alerts. Helped by this intelligence they are then better able to make informed decisions about incident response priorities,” he further explained.
Graphs
Martin Jartelius, who is Chief Security Officer at Outpost24, observed that looking at the graphs & what they are actually indicating here is important. Scanning\looking around, has now increased. So, the number of individuals or systems engaged in research, or in checking for targets, has increased. The potential reason for this being that the time now available for amateur security-interested individuals has now itself increased.
Botnets
“If we look at units connected to botnets or to known commands and controls & what we actually see is a decrease from Feb. to March. There is more looking but not more hacking, to rephrase. The graph is a tad hard to determine with regard to exploitation, & whether this was successful or not, but based on no increase in C&C and botnet activity this does not look to indicate massive exploitation. The data of course is interesting, if nothing else it is a clear indication that a long-term financial crisis following the current pandemic can result in opening a cyber ‘Pandora’s Box’ as more skilled individuals lose meaningful employment,” he further outlined.
Both interesting & worrying trends.
