Aamir Lakhani, researcher at FortiGuard Labs, discusses leading-edge threats related to edge access/browsers/IoT, and the COVID-19 vaccine, as a way of getting into larger organizations.
Though it’s often hard to find group consensus, one thing everyone can agree on is a feeling of relief that we may be moving past the worst of the pandemic. While few want to look back on the darkest times, those months have continuing lessons to teach about cybersecurity. Like it or not, the echoes of 2020 continue to reverberate into 2021 in both the physical and digital worlds, and we ignore that fact to our peril.
Yes, the first year of the pandemic has passed, but it graciously left behind many of its cyber-fraud problems, which will continue for the foreseeable future as threat research shows. Malicious actors will continue to focus on maximizing their profits, using the traditional cost-benefit analysis to decide on the best attack vector. Remote work will continue as companies embrace the workplace changes wrought by COVID-19. From the cybercriminal perspective, these trends only increase the return on investment for their scams and fraud. With this in mind, organizations must remain vigilant to protect themselves and their sensitive data from these attack methodologies.
Post-Vax Social-Engineering Attacks Won’t Subside
Cybercriminals see in social-engineering attacks an effective, high-impact, low-cost methodology. Just as with legitimate businesses, cybercriminals want to maximize profit while reducing operational costs. And thanks to an abundance of “as-a-service” criminal software available via the Dark Web, social-engineering attacks are perfectly positioned to meet these goals.
What makes social-engineering attacks so successful is that they target people’s emotions, manipulating the fight-or-flight response. When people become overwhelmed by feelings like fear or empathy, they often make rash decisions. When the pandemic began, cybercriminals used these emotions to launch successful phishing attacks. Typical themes included layoffs and impersonating health authorities. Later, we saw more attempts focused on the vaccine.
People were initially desperate for information, so they let down their digital guards – leading to increased profitability. As countries start to offer more vaccination opportunities, those same emotions will continue to make social-engineering scams profitable. With such a desire to return to a “normal” life, people want to believe that positive information related to the pandemic is real. This desire makes social-engineering attacks about vaccines more profitable. Only when this information becomes more concrete and publicly available will threat actors see the viability of these scams lessen from a cost-benefit perspective.
As the world begins to open up and we crawl toward a brighter future, people are going to be looking for things to do and places to go – so we also expect to see social-engineering attacks start using things like travel and vacation deals to hook people.
The Home Office Continues to Be a Major Target
The distinction between home and office blurred significantly last year, meaning that targeting the home puts adversaries one step closer to the corporate network. In the second half of 2020, exploits targeting internet-of-things (IoT) devices topped the list. Every IoT device introduces a new network “edge” that must be defended and requires security monitoring and enforcement. With many companies continuing to allow at least some of their employees to work remotely with no stipulated end date, security leaders have to stay abreast of the latest threats regarding edge access and browsers.
The good news for cybercriminals, and bad news for everyone else, is that malware code is more flexible and able to reach further into the attack surface. One malware campaign can have a wide focus across different devices and platforms. For example, Adrozek is a malware family that has been successful across multiple browsers and applications, and it has a large infrastructure. This family is controlling hundreds of thousands of domains. The malware itself does browser injection to seed malicious search results once that browser is infected. Once you load a malicious DLL extension, it’s essentially game over. People don’t realize that a lot of edge devices also have browsers.
Browsers are needed for a device to receive communication and updates even if you’re not opening up an application and putting in a website’s address. Bad actors are taking advantage of devices’ built-in browser code. People have gotten used to assuming that browsers are secure; much of the time, they get updated automatically. But browsers are essentially the new edge in many instances.
Attacks don’t necessarily have to find vulnerabilities in the browser but just in the backend – how the browser delivers an ad, how it processes things like searches or any other process that gives attackers an opportunity. Botnets allow attackers to create hundreds of thousands of drones that can attack a wide variety of machines, including Windows systems, Mac systems, Linux, edge devices, IoT devices and more.
How to Defeat Disruptive Attacks
Social-engineering attacks and threats related to edge access/browsers/IoT together represent the major ways in which cyberattackers are targeting individuals, as a way of getting into larger organizations.
Fighting cybercrime requires an integrated strategy and broad awareness.
Threat intelligence will remain central to understanding these threats and how to defend against them. Visibility is also crucial, especially when a large percentage of users are outside the standard network perimeter. Every device creates a new network edge that the security team must secure and monitor. Using artificial intelligence and automated threat detection can help organizations address attacks immediately, not at some later point, and are needed to mitigate attacks at speed and scale across all edges. Organizations should also prioritize cybersecurity awareness training, because cyber hygiene is not just the domain of IT and security teams. These best practices will help you learn from 2020’s cyber lessons and help protect individual employees and the organization as a whole.
Aamir Lakhani is a cybersecurity researcher and practitioner at FortiGuard Labs.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.