Threat actors have leveraged the fear and uncertainty created by the global pandemic to ramp up their social engineering and malware attacks – both of which can be hugely detrimental for organisations. Sherrod DeGrippo, Senior Director, Threat Research and Detection, Proofpoint, highlights the malware trends organisations need to be aware of and offers some key advice to CISOs building their incident response plans.
The impact of COVID-19 on the threat landscape
“As we saw the situation develop over the past several months, beginning at the early part of 2020, as things started to move west, we were definitely questioning how this current event would impact the threat landscape and we saw the first use of COVID-19 in social engineering attacks in late January. Those were against targets in the West, so it was absolutely something that was on the mind of the threat actors and started quite early as that news came in,” DeGrippo explained.
As the situation has developed, threat researchers have identified much more specific and tailored techniques.
“Instead of just talking about the virus, we see social engineering talking about the vaccine, or saying ‘click here to see a list of people who have been infected in your area’. We see it used as a way to push for urgency.”
Where the threats are coming from and the motivation behind them
DeGrippo highlights that ‘just about every’ actor on the landscape has leveraged the pandemic in some way – from the typical commodity, crimeware actors to state sponsored and smaller actors behind the likes of BEC and email fraud.
“When it comes to motivation for attacks like these, typically they’re financially motivated. Of course, the state-sponsored actors are motivated by espionage and nation state type interests, but for the most part, the motivations that these actors have hasn’t really changed, the social engineering wars that they’re leveraging is what has become the new thing,” she said.
Vertical and regional targets
While such attacks originally started with a focus on targets in the west, these have now become so widespread they are no longer considered ‘unusual’.
DeGrippo said: “At this point, anyone, anywhere, is subject to potentially getting a COVID-19 social engineering attack. We see these day-in and day-out now, in all kinds of different ways. So, it’s really become the standard.”
Malware trends of which organisations should be aware
“Malware is something that’s always evolving – that’s one of the things we can count on. It’s never the same day-to-day, week-to-week,” DeGrippo said, highlighting that the last year had seen the emergence of two similar types of malware that work together.
“The first is the age of the modular downloader. These downloader malware samples essentially get on a machine and then they download second, third and later stage payloads, meaning that the threat actor can make a decision about what is actually put on that machine in the end.
“Something you’ve all been hearing a lot about is, of course, ransomware. What we’ve noticed is that these operator control downloaders are typically the delivery vehicle for ransomware when the threat actor makes the decision that ransomware is the right choice.”
Most detrimental types of malware for enterprises
“It really depends on what your operations look like day-to-day – a banking trojan which steals money out of a bank account may be really devastating for some businesses if they operate on a really tight cash flow, whereas if there is ransomware on a few machines they might be able to turn those around quickly,” DeGrippo said.
However, ransomware in large-scale deployment has been ‘absolutely devastating’ for organisations. Historically, ransomware would be on one machine and, while inconvenient, could generally be taken care of the by the IT team.
“The new ransomware landscape is about a much more deliberate and strategic approach, where the threat actors are looking to ransom an entire company, their entire business operations and shut that whole organisation down at once in order to get a much larger ransom payment,” said DeGrippo.
“We used to see US$100 to US$800 for ransoms, now we’re seeing ransoms in the millions, because what they’re able to ransom is no longer just files, but an entire company’s ability to operate.”
How successful threat actors are in obtaining these ransoms
“Typically in my line of work, we look to stop these things before they ever get to those end-users but from what I have seen in the media, it does appear that a lot of the very sophisticated ransomware actors are able to extract a decent amount of the ransoms that they deploy,” said DeGrippo.
However, there is question around the culpability of an organisation that pays a ransom due to various international laws. Organisations need to ensure they have a plan for how they will deal with incidents and ransomware in a pandemic.
“We don’t just want an incident response plan, we want an incident response plan for the usual things, plus ransomware, plus a pandemic. I don’t think a lot of organisations are prepared that way so they need to work on that today.”
Best practice advice for incident response
DeGrippo highlights that the best practice advice for incident response is for organisations to understand their people and their processes, because the threat actors will know them just as well as the business itself.
“It’s important to deeply understand those. In addition to that, what’s really important for organisations to think about is, ‘hey, we’re not operating in our traditional world anymore. That IT helpdesk is not down on the third floor the way they used to be. Our users are now spread out at their homes and they’re competing for Internet with their kids or their spouse’.
“It’s a much different reality to the way that we have to respond to incidents today than we did a year ago and updating those plans now, if an organisation hasn’t already, is the most important thing.”
Creating a robust cyberdefence strategy to protect against these types of malware attacks
“I really still believe in the best practices that you learn from all of those foundational concepts in information security like defence in depth, having strong patch management and really building an information security programme,” said DeGrippo.
“You can’t write a plan, put a book in a drawer and then never think about it again. It really should be a living document that is conducive to a security programme that you’re constantly revisiting, updating and continuing to strengthen all the time.”
Key priorities for CISOs and CIOs in 2021 to get on top of malware
A key priority for the year ahead is for executives to have a solid understanding of exactly what is coming in and out of their environment.
“We talk about information security and that really is about protecting information. When information is in transit, that’s when the security problems begin, so understanding what’s coming in and what’s coming out is crucial,” DeGrippo said.
“Email continues to be the number one threat vector so understanding what is coming in and understanding what is coming in to whom.
“Who are these people that are receiving these threats? Why are they attractive to the threat actors? I’m really focused, especially as we go into the next year, on thinking not about threat modelling, but threat inventory and the threats that are actually coming in.
“It really shouldn’t be a theoretical practice anymore; we really should be able to understand from a people-centric lens each person in our organisation and what threats they’re actually facing each day.”
That then enables the CIO to make informed decisions about who to protect, where and with what.
“I think that there absolutely are vertical targeted threats, there are regionally targeted threats and we see those tailored to the financial institutions that are used in a specific region or specific government alerts,” DeGrippo added.
“I think it’s really important to make sure that the people that are potential targets in your organisation understand the realities of what to click on and what not to click on.”
She added that researchers had seen the threat landscape align and focus itself around business hours, business days and business processes.
“It’s understanding that the more you’re sitting at that desk, the more you actually are at risk. It really does go down on weekends and holidays. So having a good understanding that the threat landscape is more active on the days that people are more active at work, and being conscious of that, to avoid potential social engineering threats.”