Our Quarterly Threat Situation Brief is intended to catch two birds with one stone by sharing with you our assessment of past security issues we have observed and by looking ahead and projecting what we foresee as trends. This is based on our study of relevant security sources on the one hand, and on the billions (!) of security events we have seen in our customers’ environments over the course of the last three months.

Financially challenging times along with short time work and necessary cost optimization programs have been business realities of the past three months as a result of Corona pandemic. Chances are that companies are cutting investment on cyber security while already operating with reduced workforce – in diametrical opposition to the increased protection needs.

Covid-19: Attackers are not on short-time work

Business realities including short-time work have generally led to less capacity for companies’ risk mitigation, patch management and incident response while facing an unchanged number of cyberattacks. Even less favourable: Some of the most sophisticated advanced persistent threats we have seen, have been detected during the last three months.

Swift implementation of teleworking has been a necessity for many organizations to secure business continuity with little time to check remote access solutions for security risks and therefore potentially opening doors for criminals. This comes on top to the coordination of Incident Response Teams working from home offices being more complex versus having them operate from their war room.

Information security and data privacy in a world of remote workplaces with no transparency on who is actually reading on corporate devices adds a third dimension of challenges. While certainly not caused by Corona pandemic, the current circumstances have intensified such issues forcing organizations to cope with them.

General malware findings

Ransomware is here to stay and is lucrative. Criminals have adapted to capitalize on the current global uncertainty and are expanding their attacks as we are increasingly observing attacks combining both encryption and data theft. Pay the ransom or your most valuable data gets published is their motto with some attacks from the past few months specifically aiming to harm critical European organizations such as oil and gas industry, aerospace and military branches.

Recent malware findings range from long-known but steadily reinvented Emotet with the goal of paralyzing an organization’s network over IoT botnets specifically targeting IoT devices and to spy malware targeting air-gapped systems just to name a few.

As people’s thirst for Corona pandemic related information continues, so does the attackers’ interest in taking advantage thereof.  Multiple malware families, ransomware and potentially unwanted applications have been targeting anxiety over Covid-19 and communicating with related domains. Whether it is Corona themed phishing attacks targeting business executives, a massive campaign of phishing emails pretending to be from John Hopkins Center or Covid-19 campaigns targeting SCADA systems with a Python Trojan – criminals are creative in abusing the pandemic for their malicious cause.

Zero-Day exploits and critical vulnerabilities

With a huge part of global workforce currently working from remote locations outside their offices, it does not come as a surprise that patched Pulse Secure VPN exploitation has continued. A recently discovered secret backdoor on thousands of Microsoft SQL Servers has been used by crypto mining botnet “Vollgar”. Vollgar has been targeting MSSQL databases since 2018 using brute-force attacks.

A critical remote code execution vulnerability was detected in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller. F5 released the patches for the flaw as well as some mitigations that should prevent its exploitation. However, researchers found a way to bypass one of the mitigations, which was confirmed by the vendor.

Large-scale DDOS attacks are possible through “NXNSAttack”. Impacting the DNS protocol, this vulnerability forces DNS resolvers to generate more DNS queries to authoritative servers of the attacker’s choice, potentially causing a botnet-scale disruption to online services. Other prominent observations have been a critical flaw in VMware Cloud Director which could hijack enterprise servers, attackers gaining administrator privileges through a flaw in the Windows Group Policy feature or “Ripple20”, a zero-day vulnerability affecting hundreds of millions of IoT devices enabling successful attackers to hide malicious code within embedded devices for years and simply surpass an organization’s network boundaries.

Threats & trends

Looking back at the past three months, the very good news is that many of the cyberattacks detected could have been prevented through basic cyber hygiene measures such as timely patching.

The bad news, on the other hand, is that we have seen reduced capacity to do so caused by limited workforce during short-time work.

With ongoing global Covid-19 pandemic, organizations are expected to continue having a significant percentage of their staff working from remote and using short-time work models to keep that knowledgeable staff, but yet operating with reduced workforce. For IT security this goes hand in hand with the predicted trend of malicious online threat actors increasingly targeting unpatched vulnerabilities and some of them even specifically targeting remote workers using Citrix and Pulse Secure VPN vulnerabilities.