8 May 2020
Lauren Winchester

Prediction vs. Reality: Cyber Risk in the Covid-19 World

Two months ago, as the pandemic began to spread from its initial hotspots in China and Italy into the U.S., there was a great deal of speculation about how it might impact cybersecurity risk. Here’s how it has actually played out.

Two months ago, as the pandemic began to spread from its initial hotspots in China and Italy into the U.S., there was a great deal of speculation about how it might impact cybersecurity risk. 

At Corvus, we talked about the potential for an uptick in phishing, as confusion around the virus led to potentially easy targets for attacks. We also saw potential weakness in the rushed implementation of VPN or other remote work-enabling technologies, which attackers could attempt to exploit with brute-force attacks. We also considered a worst-case scenario where widespread illness led to staffing issues and the inability of organizations to maintain proper security as a result. 

Social distancing measures implemented across the country have — thankfully — kept the worst-case scenario from playing out, as far as we know. Other fears have proven valid, and in some ways we didn’t expect. Let’s review what we’ve seen so far. 

Phished Westphalians

First, phishing. We had already seen an uptick in attacks starting in February, with organizations like the WHO issuing warnings. So perhaps it’s not surprising that this trend has only continued. By mid-April, Google was reporting alarming levels of phishing scams relating to Covid-19. A province of Germany may have fallen victim to one of these scans, losing tens of millions of euros by distributing emergency funds to criminals impersonating citizens — exactly the kind of exploitation of a confusing and fast-moving situation many experts feared. 

VPNs Vulnerable

Next is the vulnerability of certain technologies organizations use to facilitate remote work. 

One obvious choice is a VPN, a technology that enables secure access to environments that are otherwise restricted to an on-premises network. VPNs have a host of potential vulnerabilities, as the U.S. CISA warned in March. They’re typically developed and sold by third parties but installed and configured by in-house IT teams, meaning there is scope for wide variance in how secure they are from company to company. 

True to form, criminals have been exploiting these vulnerabilities in recent weeks. Microsoft reported that several major VPN providers had been targeted by organized attackers, and advised hospitals in particular to patch their services. 

Remote Desktops (Still) Risky 

We’ve also seen reports of a massive uptick in attempts to gain access to RDP ports. RDP, or remote desktop protocol, is a Microsoft technology that enables virtual work on computers or servers. Before Covid, vulnerabilities in RDP were well-known as one of the most common attack vectors used by ransomware attack groups. Exploits have only increased as the attention to remote work is rising and companies may be installing new RDP servers to handle the volume of traffic.

As an example of how widespread these attacks are, Corvus set up a “honeypot” — a server set up specifically to appear vulnerable and monitor attack activity. Within the first 24 hours that the honeypot was live, 33 different servers scanned the honeypot to see if RDP was active and at least two different servers attempted to login repeatedly from many locations including Russia, Iran, Vietnam, Belize, and the U.S. 

These “brute force” attacks involve trying thousands of username/password combinations to attempt to gain access. Starting in March the rates of this type of attack have increased 6x

The Zoom in the Room 

And then there’s Zoom. Quick to offer free use of its platform as much of the world went into lockdown, Zoom’s daily active users skyrocketed from 10 million to 300 million. Reports of “Zoom-bombing” last month led the video conference market leader to quickly update security features across the board for its users. 

To prevent attackers from entering meetings and causing disruption, Zoom now requires a password as a default, as well as adding a “waiting room” feature requiring host approval for participants to enter a meeting. Zoom also added a new button allowing a host to “report a user” to Zoom. While the poor default security settings here were not the fault of the organizations using the software, a general lack of awareness about the default settings contributed to the phenomenon. 

Keep up the defense

For your clients, it’s not time to ease up on their defenses as the worst of the pandemic fades into the rearview. As long as cybercriminals think they may have a fresh angle or tactic that might succeed, they’ll continue to attack. If your clients’ cyber policies don’t include risk mitigation and preparation services, take a look at what we’ve recently added to our offering at Corvus.

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video