In 2020, cyber-criminals took advantage of the increased attack surface created by the impact of COVID-19 to launch a vast number of attacks. According to Security Boulevard, phishing attacks shot up 600% since the end of February and 80% of firms experienced an increase in cyber-attacks year on year.
Microsoft’s Digital Defense Report notes that attacks not only became more numerous in 2020, they also rapidly increased in sophistication, exploiting techniques that make them harder to spot.
The cost of cyber-attacks also increased this year. Ransomware attacks rose 148% in March alone and the average ransomware payment rose by 33% to $111,605 as compared to Q4 2019.
In cybersecurity, the stakes are higher than ever before. Businesses already facing serious economic challenges due to repetitive lockdowns cannot afford to take the financial hit of a ransomware attack or suffer the reputation damage and heavy fines that can accompany a data breach.
Possessing the most up-to-date skillset is no longer simply desirable for security professionals; it is essential if they want to stand any chance at all of defending their organization in the contemporary threat landscape.
In this special webinar, held on November 12 to mark CQURE’s 12th anniversary, Paula covers practical tactics that security pros can use to detect and mitigate threats in the year ahead.
The ease at which a phishing campaign can be created belies just how serious this growing threat can be to a company. In just a few clicks it can bring devastation to your network. Domain spoofing can be so sophisticated in modern phishing attacks that victims who click on a link and arrive at a malicious website often have no idea that they have been duped.
Using the Evilginx framework, Paula shows how easy it can be to spoof Office 365 login panel, which steals credentials, intercepts session tokens and redirects authenticated victim to legitimate page. Next, she demonstrates how a hacker can create a phishing email that appears to be sent from Microsoft Teams and use it to ensnare a victim who didn’t notice that the domain address was wrong.
In another variation of a phishing attack, Paula demonstrates how cyber-criminals can use an executable file created to simulate a UAC prompt to trick that user into giving up their credentials. Multi-factor authentication can be simulated to make the user think they have accessed a genuine website. An attacker can use the stolen credentials to access the user’s network, gain control over the DNS and replace content.
Phishing poses a grave threat to companies that are still working out how to secure their remote workforce. To mitigate attacks – the ones we are familiar with and also the new threats, businesses must introduce not only security tools, but also user training.
Attack surface reduction rules
Paula demonstrates an attack involving an Office macro in which every area of an Excel spreadsheet has been booby-trapped. A victim who clicks on what looks like a normal cell, unwittingly launches malicious code and causes a connection to the hacker. Malicious macros can also utilize other techniques to perform various attacks. Another example demonstrated during the webinar involves Process Hollowing, which can be used to bypass some security measures by executing the code in a memory address space of newly spawned child processes of Office application.
This attack could be prevented by restricting usage of macros, requiring digitally signed macros or implementing the attack surface reduction rules, which can greatly limit an attacker’s possibilities. The rules have certain identifiers, found in documentation by Microsoft, that you can use to specify what the policies do. For example, you can prevent certain API calls from working in macros by updating the policy. Just a few simple changes results in suspicious macros being detected.
If a malicious macro is detected by ASR, the operational log of Windows Defender can show you logged operations that have not been allowed due to the current policy. Enabling the attack surface reduction rules allows you not only to block malicious actions, but also detect them!
Attack surface reduction rules are a fantastic way to ensure that users, especially those who are working remotely and who do not have much cybersecurity knowledge, are protected from phishing attacks.
Using VPN pivoting, Paula demonstrates what it’s like to walk in the shoes of a hacker who is digging around in their target’s computer. Instead of connecting directly through VPN to the organizational network, the attacker uses VPN pivoting to connect to the target’s computer and reconfigure it to function as a proxy.
This attack could allow a hacker to interact with the VPN connection a user has established through the infrastructure. The activities of the hacker are difficult to detect as the traffic appears to be coming from the target’s computer.
Security professionals are facing another challenging year as lockdowns look set to continue and the digital economy is likely to keep increasing. Up-to-date skills are going to be just as crucial for those already working within the cybersecurity industry already as they are for newcomers and those who have had to switch careers as a result of COVID-19.