This month, Sophos released its annual report “Sophos 2021 Threat Report”, giving their take on how cyber security threats have changed over the last year. One thing is clear: the world has changed dramatically over the past year, but cyber threats continue to be the biggest threat in the digital landscape.
For those of you who aren’t familiar with the Sophos name, they’re one of the leaders in Cyber Security software and hardware. TSP uses Sophos endpoint protection software and firewalls to great effect – we haven’t had any successful large-scale cyber attacks on any TSP managed systems in our history.
We work hard to keep our cyber security record pristine, and keeping up to date on the increasing sophistication cyber attackers employ is a big part of that. Here are our biggest takeaways from the Sophos report, along with our experiences in cyber security during 2020.
Phishing and Wire Fraud Attacks are Getting More Sophisticated – but not Because of the Reason that you Think
Phishing attacks are still a very effective technique. This is where emails try to get an unsuspecting user to enter a regularly-used username and password into a website that looks like a trusted site (such as Google or Dropbox) but isn’t that site. The emails sent out utilize various techniques to entice people to click on the links, which take them to websites that emulate the look and feel of standard login pages from Google, Microsoft, Dropbox, and others.
Wire fraud attacks use similar techniques to leverage asymmetric power dynamics within organizations (otherwise known as “you always do what your boss says”) to trick users to transfer money to hacker’s accounts. Using publicly available information (such as titles and positions of people on company websites and LinkedIn,) hackers send an email to one person in a company with a set of emails that gets them to make purchases of gift cards or make transfers.
More advanced versions of these attacks leverage successful phishing scams to hack an email account and watch existing email traffic for wire transfer requests. This results in another email asking for the wire transfer account information to be changed (from a legitimate account to a burner account owned by the hacker.)
Here are just some examples of the phishing emails that we have received this year.
Seen on their own, each of these emails seems suspicious enough to avoid without question. However, we’ve seen that an increasing number of users are clicking on these emails. That’s not because the emails are getting any better – it’s because we’re being drawn in by what’s going on in the world around us.
Covid-19 as a Force-Multiplier in Attacks
As Sophos mentions in their third section, “COVID-19 as a Force-Multiplier In Attacks” (p.20), as the lockdowns spread across the globe in March, thousands of businesses were forced to set up new digital systems in a rush to work remotely. Millions of people saw signups to new services – everything from Zoom to Bill.com – as their previous in-office workflows moved to online paperless interactions. We saw dozens of new services invitations, with new ways of interactions on different online services being part of the “new normal.”
Beyond the business world, we all set up new accounts for online exercise, e-commerce, and video conferencing for our personal lives. With the sheer number of new accounts and services (Zoom went from 10 to 300 million daily users during the lockdown), we’ve all lost track of where we have digital identities. And let’s be honest, if someone emailed you an invitation with your boss’s name on it asking you to sign up for a new Google service, you’re more likely to click on it today than you were a year ago. Add this up across millions of remote workers, and hackers have had a field day with phishing and wire fraud attacks.
Bottom Line: Invest in phishing detection and security layers like Mimecast Email Security and Microsoft Advanced Threat Protection. Also, invest in digital security training for your users, which can set up remotely.
From Beachhead to Occupation: Your Armor is Patching Computers
At TSP, we seldom use the military jargon that often pervades cyber security marketing. One place where it does fit, though, is in describing the battle between hackers and your defenses. Hackers can leverage a small error that one employee makes to take over your entire business.
In the Sophos section titled, “Using your own strengths against you: Criminal abuse of security tools” (p.31), they describe how a phishing email can go from a single account into a business-disrupting event. Sometimes described as a “kill-chain,” this chart shows the series of techniques and tools used to go step by step from phishing attack to ransomware.
An attacker would use all of these techniques to work their way from initial access to impact. Starting with a phishing email that gives them access to one account, each step expands their ability to cause damage – as they move from one account to many or use tools to go from quietly monitoring to causing data loss or installing ransomware. Even completely legitimate pieces of software, like Teamviewer (used for remote access of systems,) can be part of the kill-chain.
One key takeaway from these diagrams is that almost all of them involve “Privilege Escalation,” a method of going from a staff account to an administrator of a system or server. “Privilege Escalation” allows hackers to do a lot more damage than a single employee account could do.
Common Vulnerabilities and Exposures
As you’ll see in our highlights in Figure 4, all of the privilege escalation methods refer to a CVE or Common Vulnerabilities and Exposures. These are all tracked by the National Vulnerability Database (NVD) published by the National Institute of Standards and Technology (NIST.) The NIST is a US government agency that highlights over 100,000 software bugs allowing the use of the software outside its intended purpose.
These software bugs represent an essential part of the kill-chain. Without using a CVE, an attack will primarily stick to a single non-administrative user, which means the damage is limited. They may be able to send emails out as one user, but they won’t be able to hack your business’s most critical server.
Good news is that CVEs represent software bugs that are almost always patched by the software maker. The bad news is that protection from CVEs only comes from regular patching of software. Everything from operating systems to applications like Adobe Acrobat and Flash are vulnerable to the most severe offenders of CVEs.
These techniques apply to Macs and Windows, and it’s the reason that TSP recommends all of our clients to have a weekly patch schedule, where IT communicates to users that computers will reboot and install updates on one evening a week. While sometimes annoying, these updates keep small hacks from turning into complete business disruption – and are well worth the annoyance.
Bottom Line: Forcing users to patch software is sometimes a pain. But it’s worthwhile to block small successful attacks from becoming business disruptions.
Reused Passwords – of any Length – are Hackable
With all of the techniques hackers use to get a foothold on networks, “cracking” or guessing a password remains one of the most effective. IT departments scrambled to give access to remote users in the early pandemic days of March and April. They frequently sidestepped security best practices to quickly give users access to systems that they needed for business to continue with everyone working from home.
This huge upswing in new account setups means two things: many users set up simple passwords for many of these new services, and many users used the same password on lots of different services. In the end, the threat of hackers cracking a password increased because of two factors. First, computing power continued to grow, giving hackers access to tools to guess passwords with increasing speed. Second, password reuse was widespread because people ran out of brain capacity to deal with multiple passwords amid a pandemic.
Hive Systems has calculated the time it would take for a hacker to crack a password on a system that they had direct access to (“Credential Access” on the Sophos kill-chain above in this shared infographic). Even for passwords with both upper and lowercase letters, if it’s less than ten characters long, the passwords are crackable within a day.
But even if you’ve patted yourself on the back for using a longer or more complex password, if you’re reusing the same password for multiple sites, then you’re not in the clear. You don’t have any control over whether or not that password gets found.
Just between January and July of 2020, there were 86 major incidents of usernames and passwords being hacked on services with millions of users, with more than 77 million logins exposed from those breaches.
Services like https://haveibeenpwned.com help anyone see if your email address – and possibly your passwords – have been exposed in a large scale data breach. If you continue to reuse passwords, the password you will use will eventually become part of the public record. So it’s always best to use a password manager, such as the one included in Google Chrome or iCloud, or the third party utilities LastPass and 1Password.
It’s impossible from a business standpoint to ensure that all of your users aren’t using passwords from other services to access your business-critical systems. Your defenses are two-fold: (1) using business versions of password managers like 1Password for Teams or LastPass for Business and (2) securing all of your services with multi-factor authentication (MFA). That ensures that even if someone were to get an employee password and that the employee used the same login in one of your business systems, they would not be able to log in without a further MFA code from a text or smartphone app.
Bottom Line: Use password managers like 1Password or LastPass, and make sure to use their features that allow you to create unique passwords per every site. Make sure your business uses Multi-Factor Authentication (MFA) for any critical services to protect your cyber security in 2021.
Macs are Still Safer than Windows, but They Need Protection
Over the years, many – including Apple – have spread the idea that Macs is more secure than Windows. While this is mostly true, it doesn’t mean that Mac users can be complacent. In years past, some brave Mac users considered this as a reason not to install anti-virus software or monitoring agents onto their machines.
Our experience has shown otherwise. Over the past year, we’ve manually cleaned 104 malware reports on Mac systems, and that doesn’t include the hundreds that were auto-cleaned by Sophos. In many cases, these infections were caught as “suspicious” software, which could have eventually evolved into a more harmful threat.
A recent analysis of Mac malware by Malwarebytes found that the prevalence of Mac-based malware and adware was growing faster than on the Windows side. However, the severity of the malware was less than on Windows.
Still, phishing attacks and wire fraud attempts are platform-agnostic. Their techniques are just as effective on Macs users as they are on Windows users, and with the prevalence of cloud-based services, any business running Macs needs to be just as vigilant as those running Windows.
Bottom Line: Users and companies using Macs need to put in all of the same protections as those running Windows. Running in the Apple ecosystem doesn’t make you immune to threats to cyber security in 2021.
The Covid-19 pandemic has forced businesses to evolve drastically in 2020, and with that evolution came more advanced threats to your business’s cyber security in 2021. Phishing scams and wire fraud are becoming more sophisticated and challenging to detect. A shift to remote working has left systems more open to patch vulnerabilities. The increase in passwords both in our business and personal lives has opened the door to hackers. All of this highlights the importance of focusing on and investing in cyber security in 2021 to protect your business and personal information.
For further insight, our Cyber Security Audit service can bring our cyber security expertise into your own business. Find out more and talk to our cyber security experts to understand what cyber risks you should be worried about most. Contact us today for a free tech audit and see how we can help protect your business and employees.