Cybersecurity firm McAfee’s ‘Covid-19 Threat Report: July 2020’, examining cybercriminal activity and the evolution of cyber threats in Q1 2020, says there was an average of 375 new threats per minute and a surge of cybercriminals exploiting the pandemic through Covid-19 themed malicious apps, phishing campaigns, malware, and more. “The end game is to infiltrate networks and cloud services beyond the home,” Sanjay Manohar, managing director, McAfee India, tells Sudhir Chowdhary in an interview. Excerpts:
What have been the dominant themes for cyberattacks in 2020?
The dominant theme of 2020 has been the scale and impact cyber-related attacks have had on our wider society. What started as a trickle of phishing campaigns and the occasional malicious app, quickly turned to a deluge of thousands of malicious URLs and more-than-capable threat actors leveraging our thirst for more information as an entry mechanism into systems across the world.
How are cybercriminals targeting employees working from home?
Cybercriminals see the remote, distracted, and vulnerable workforce as an opportune target. They are leveraging Covid-19-themed ransomware, RDP exploits, scam URLs and spam designed to lure remote workers into mishandling external engagement. McAfee Labs detected 458 publicly uncovered security incidents in the first quarter of 2020. Disclosed incidents targeting Asia-Pacific as a region increased by 27%. In addition, total malware increased 27% over the past four quarters, while new mobile malware increased by 71%. This was followed by account hijacking and targeted attacks. We have observed the emergence of phishing campaigns that use pandemic themed messaging to lure employees into engaging with and enabling threats to gain a foothold in their corporate networks. The end game is to infiltrate networks and cloud services beyond the home.
How are threat actors targeting the cloud?
The use of cloud services by every major industry has grown by 50% since 2020. Cloud traffic from unmanaged devices presents an increased source of risk, stemming from accessing cloud services outside managed corporate networks. Between January to April 2020, threats from external actors targeting cloud services increased over 600%, with the greatest concentration on collaboration services.
Our observations classified external threats into two major categories. First, excessive usage from anomalous locations that begins with a login from a location that has not been previously detected and is anomalous to the user’s organisation. The threat actor then initiates high-volume data access and/or privileged access activity. Second, the suspicious superhuman category, which is a login attempt from more than one geographically distant location, impossible to travel to within a given period. This activity can be tracked across multiple cloud services. For example, if a user attempts to log into Microsoft 365 in Singapore, then logs into Slack in California a few minutes later.
Can you give us a global view of external attack sources on cloud accounts?
On an average, McAfee Labs saw 375 new threats per minute and a surge in cybercriminals expl-oiting the pandemic through Covid-19 themed malicious apps, phishing campaigns, malware, and more. Using either weakly protected Remote Desktop Protocol (RDP) or stolen credentials from the underground, malicious actors are moving at lightning speed to breach a victim’s network architecture and effectively steal and then encrypt their data. Along with an increase in mobile malware, regional targets, crypto mining, and file less malware, we have seen an exponential growth in Ransomware-as-a-Service attacks. Ransomware-GVZ, a coronavirus-themed campaign that emerged in March, displays a “ransom note” message demanding payment in return for decrypting their systems and the precious personal and corporate data they contain.
How can enterprises develop stronger cyber defences?
Monitoring and adaptation of the detection stack plays a key role in efficiently managing the evolving threat landscape. A cloud-native approach to delivering security will provide the most extensive coverage, capable of reaching devices off network and connecting to cloud services directly. This involves implementing a cloud-based secure web gateway, to protect corporate devices against web-based threats without routing them through a VPN. It is also necessary to set policies in your CASB so that cloud services have device checks, data controls, and are protected against attackers. Employing multi-factor authentication for sanctioned cloud services can significantly reduce the risk of stolen credentials.
Only a cloud-centric security mindset can augment the increase in cloud use and combat cloud-native threats. We must rise to the challenge of pushing technology forward, adapting, and developing stronger defence mechanisms to ascertain that the ‘future of work’ is secure.