Covid-19’s impact on cyber security: malware, credential stuffing and brute force attacks

It is not groundbreaking to say that the COVID-19 pandemic has generated new and unique challenges for every single organisation and the cybersecurity industry. Working from home appears to be the ‘new normal’ and this, along with other pandemic-related changes, will have a massive impact on the types of data breaches we see and the cybersecurity space.  

As many companies move their employees from brick-and-mortar offices to remote working from home – the number of tasks, projects and sensitive data being traded and shared online and in cloud-based programs has catapulted into the stratosphere. And it does not look like employees want to return to the office with ONLY 9% of people in the UK saying that they want to go back to “normal” after the crisis has been fully dealt with. 

Unfortunately, in times of momentous change and overhaul in organisational practice, we often see cybercriminals lurking, waiting to capitalise on vulnerabilities for monetary gain (70% of breaches in 2021 were financially motivated).  

As a result, the reputation and operational state of organisations has never been at more risk. In today’s The Insider piece, we assess the impact of Covid-19 on the cyberthreat and response landscape.  

The most common cyberattacks during COVID-19 pandemic 

The general difference between cyberattacks pre-pandemic and cyberattacks during and post-pandemic, is the increased rate of attack and success for nefarious individuals. For instance, before the pandemic, a hacker may have blasted out a wave of phishing emails containing malware-infected links with the hope that someone working internally in an organisation will unwittingly open a back door for them. Here, the attack surface for the cybercriminal is the organisation’s data and services.  

Swiss.info data reveals that pre-pandemic Swiss companies saw an average of 100-150 cyberattacks a month. During the pandemic, this shot up to 350 cyberattacks a month! This included phishing attacks, fraudulent websites, and direct brute force attacks.  

As more organisations shifted focus to remote working, the attack surface opened as there are vulnerabilities in personal networks that an employee or their employer may not be aware of – especially at the start of the remote working push when mistakes were being made every day with lessons learned quickly.  

As the potential attack surface widened and vulnerabilities appeared more often, these common mistakes and cyberattacks also increased in occurrence: 

• Human error: Before the pandemic, 95% of cybersecurity breaches were caused by human error (World Economic Forum). As workers shifted to home working, increased disruption via unreliable personal networks, greater workloads, and in-house distractions naturally lead to more human error and far more cybersecurity breaches. Whereas an employee may have been extremely active in every decision in the workplace for fear of letting the office down, a laxer attitude to working practices was appearing in remote working conditions. 

• Malware: This CyNet report reveals that pre-pandemic, malware accounted for 20% of all cyberattacks. During the pandemic, this increased to 35%. This was because of hackers experimenting with machine learning services to navigate new and shifting environments and combining malware-infected links with sophisticated phishing through SMS and vishing (voice phishing). The most manipulated target for malware is Microsoft Office documents attached in emails with this tactic increasing in occurrence by 112% (Help Net Security).  

• Brute-force attacks: As employees began to operate on personal networks absent of the same security credentials as in-house workstations, IT security department had to figure out how to best protect company assets and data whilst the workforce accessed said data from out of the office. In the beginning, this increased the number of easy targets for cybercriminals as organisations found the best way to handle their data in a remote environment. RiskBased Security estimates that in 2021, during the pandemic, data breaches exposed over 22 billion records.  

• BYOD attacks: Deloitte data reveals that the average cost of a data breach resulting from remote working is $137,000. The average cost in this instance is high because of how many and how easy it has become for hackers to break into remote working systems. This is because small and medium-sized businesses sometimes use a ‘Bring Your Own Device’ (BYOD) protocol, which means employees are using personal devices to handle confidential corporate information. This does not have the same security level of a COPE (Corporate Owned Personally Enabled) device as the BYOD mentality does not consider ignored updates, neglected antivirus software and significantly weaker home Wi-Fi networks. BitSight reveals that home networks are three and a half times more likely than corporate networks to be affected by malware with some more specific malware software 20 times more likely to be found on a home network than a corporate one.  

• Phishing: When it comes to cybercrime, phishing has always been at the top of most common cyberattacks – the pandemic was simply a supercharged moment for phishing. In fact, 47% of individuals fall for phishing scams when working from home (Tessian). This Verizon Report details how phishing emails containing words such as “COVID,” “test,” “quarantine” and “vaccine” were widely shared during the pandemic. Verizon reports that these phishing emails played on the emotion we all felt at the time and saw a median click rate of 4.1% with some singular organisations seeing astronomical click rates of 50%. The Federal Trade Commission in the US received over 18,000 Covid related reports which totalled more than $13 million dollars lost to Covid fraud. Verizon also ran a phishing simulation on 16,000 people and found that almost three times as many people clicked on the Covid-19 phishing email compared to a regular phishing attempt. Cybercriminals were exploiting fears and worries for this period, as they are wanton to do.  

• Video conference attacks: Specific to remote working, we have seen an increase in cyberattacks on video conferencing services. More than 1 million people have been affected by a video conference attack where data such as names, passwords and email addresses were stolen and sold on the dark web. Hackers use a tool called “OpenBullet,” which parses video conferences for personally identifiable information in the software’s backend.  

• Credential stuffing: One of the ways the Covid-19 pandemic has widened attack surfaces for cybercriminals is through credential stuffing. Once a cybercriminal has gained confidential information such as a login or username through phishing or video conference attacks, they continue to cause serious disruption to businesses by using previously stolen information to gain access to even more accounts. As people are still reusing passwords, despite plenty of advice on the contrary, cybercriminals have gained access to multiple accounts and wreaked havoc.  

Cybercriminals are always looking to capitalise on distractions and individuals who they think are not equipped to handle their criminal advances. Covid-19 has only increased their potential to prey on fear and socially engineer individuals at the height of uncertainty for us a global community.  

The good news is that companies are increasing their cybersecurity focus because of increased cyber threats and risks during the pandemic. There is also a library of free resources and materials available to individuals who want a personal stake in combating cyber threats, especially when working from home.  

How to improve your cybersecurity culture in a post-pandemic world 

There are a few things both employees and organisations can do to improve their security and avoid drawing the eyes of sly cybercriminals. 

• Cyber awareness: Now that staff are no longer under in-office supervision or beholden to a tangible sense of office community and support, it is paramount that staff’s cybersecurity awareness is consistent, regular, and engaging. You want your staff to be briefed on best practices, your security protocols and how to behave properly in any given situation. This only comes from targeted training and development with a view to consistent deployment of resources, reminders, and tools to keep your employees on their toes. Remember, it is better to prepare for cyber threats than deal with the reputational and financial implications of a successful one.  
• Home Wi-Fi security: It is also vital that your employees are applying the same secure behaviours you ask of them on your platforms to their home wi-fi network. If a hacker finds their way into their home network, not only does this compromise every device connected to the same network, but it provides an easy backdoor for cybercriminals into organisational data.  
• Identify gaps during regular reviews: This should always be a recurring step in every security campaign but now more so than ever. CISOs (Chief Information Security Officers) and DPOs (Data Protection Officers) can do this using a tool like TSC’s SABR (Security Awareness and Behaviour Research), which is a survey based diagnostic tool that can provide insights into employee awareness, attitudes and approaches towards information and cyber security. Often it helps to have a third-party or a specialist consultancy carry out these reviews as it can be difficult to see any cracks from within or get employees to be truthful to their superiors about mistakes they have made. 
• Zero trust: The zero trust policy does not and should not be a go-to solution for every organisation. However, it may be pertinent to yours. In this security model, only authorised users and devices are given access to information. Access is not granted by default, which means that the size of an attack surface is shrunk, and should a breach occur, it will be easier to trace back to the source. Again, we reiterate that the zero trust model does not work for every industry and could, in some cases, be hindering red tape that slows down business.  

In Conclusion 

Before the pandemic, we started to see a shift in attitude towards cybersecurity. It was becoming perfectly clear to organisations, in the wake of big global attacks, that cybersecurity must be taken seriously. Now, post-pandemic, companies are becoming proactive in addressing cyber risks before threat actors turn their gaze towards them. 

""

If the pandemic has taught us anything in general, it is that those who are most prepared for the worst outcomes are the most successful dealing with the threat and any consequences. The capacity and knowledge needed to respond to cyberthreats needs to be on the agenda for executive discussions, if there is any desire to protect the reputational and financial value of a company.  

If you would like more information about how The Security Company can help deliver security awareness training for remote workers or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley.