Prediction vs. Reality: Cyber Risk in the Covid-19 World
Covid-19 & Enhanced Cyber Risk
Two months ago, as the pandemic began to spread from its initial hotspots in China and Italy into the U.S., there was a great deal of speculation about how it might impact cybersecurity risk.
At Corvus, we talked about the potential for an uptick in phishing, as confusion around the virus led to potentially easy targets for attacks. We also saw potential weakness in the rushed implementation of VPN or other remote work-enabling technologies, which attackers could attempt to exploit with brute-force attacks. We also considered a worst-case scenario where widespread illness led to staffing issues and the inability of organizations to maintain proper security as a result.
Social distancing measures implemented across the country have -- thankfully -- kept the worst-case scenario from playing out, as far as we know. Other fears have proven valid, and in some ways, we didn’t expect. Let's review what we’ve seen so far.
First, phishing. We had already seen an uptick in attacks starting in February, with organizations like the WHO issuing warnings. So perhaps it’s not surprising that this trend has only continued. By mid-April, Google was reporting alarming levels of phishing scams relating to Covid-19. A province of Germany may have fallen victim to one of these scans, losing tens of millions of euros by distributing emergency funds to criminals impersonating citizens -- exactly the kind of exploitation of a confusing and fast-moving situation many experts feared.
Next is the vulnerability of certain technologies organizations use to facilitate remote work.
One obvious choice is a VPN, a technology that enables secure access to environments that are otherwise restricted to an on-premises network. VPNs have a host of potential vulnerabilities, as the U.S. CISA warned in March. They’re typically developed and sold by third parties but installed and configured by in-house IT teams, meaning there is scope for the wide variance in how secure they are from company to company.
True to form, criminals have been exploiting these vulnerabilities in recent weeks. Microsoft reported that several major VPN providers had been targeted by organized attackers, and advised hospitals in particular to patch their services.
Remote Desktops (Still) Risky
We’ve also seen reports of a massive uptick in attempts to gain access to RDP ports. RDP, or remote desktop protocol, is a Microsoft technology that enables virtual work on computers or servers. Before Covid, vulnerabilities in RDP were well-known as one of the most common attack vectors used by ransomware attack groups. Exploits have only increased as the attention to remote work is rising and companies may be installing new RDP servers to handle the volume of traffic.
As an example of how widespread these attacks are, Corvus set up a “honeypot” -- a server set up specifically to appear vulnerable and monitor attack activity. Within the first 24 hours that the honeypot was live, 33 different servers scanned the honeypot to see if RDP was active and at least two different servers attempted to login repeatedly from many locations including Russia, Iran, Vietnam, Belize, and the U.S.
These “brute force” attacks involve trying thousands of username/password combinations to attempt to gain access. Starting in March the rates of this type of attack have increased 6x.
And then there’s Zoom. Quick to offer free use of its platform as much of the world went into lockdown, Zoom’s daily active users skyrocketed from 10 million to 300 million. Reports of “Zoom-bombing” last month led the video conference market leader to quickly update security features across the board for its users.
To prevent attackers from entering meetings and causing disruption, Zoom now requires a password as a default, as well as adding a “waiting room” feature requiring host approval for participants to enter a meeting. Zoom also added a new button allowing a host to “report a user” to Zoom. While the poor default security settings here were not the fault of the organizations using the software, a general lack of awareness about the default settings contributed to the phenomenon.
The Growing Need for Cyber Defense
For your clients, it’s not time to ease up on their defenses as the worst of the pandemic fades into the rearview. As long as cybercriminals think they may have a fresh angle or tactic that might succeed, they’ll continue to attack. If your clients’ cyber policies don’t include risk mitigation and preparation services, take a look at what we've recently added to our offering at Corvus.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.