Insight

IInsight

Fighting Cyber Threats In A Digitised World

August 16-31, 2020 By Dr Rina Mukherji

The Federal Bureau of Investigation (FBI) in the US has reported a quadrupling of cyber attacks since the coronavirus pandemic. Healthcare institutions have been particularly vulnerable to such attacks, especially if engaged in Covid-19 related research. Yet, a Gartner conducted survey revealed that most companies intend to have at least 74 per cent of their employees on permanent work -from-home positions post- pandemic. In such a scenario, it is imperative that the world gets serious in fighting cyber threats

With the pandemic induced lockdown that saw employees compelled to work from home, cyber threats have increased several-fold. The Maze-induced malware attack at Cognizant may have grabbed headlines in the corporate world but there have been hundreds of other transgressions of cybersecurity in many enterprises all over India and abroad, both small and large. Malware or malicious software may be in the form of viruses, worms, spyware, ransomware or Trojan horses and so on.

Current scenario

During the pre-Covid 19 era, employees across companies were issued laptops and devices that had been checked and equipped with appropriate endpoint protection loaded into them. The entire network architecture ad endpoint devices were periodically patched and checked for security lapses since employees were operating within the office environment.

When the work from-home rule was enforced at short notice with the pandemic raging across nations, companies were left with little time to issue cyber-safe devices. Hackers stepped in to make the most of these arrangements, making cyber attacks commonplace.

Ransomware attacks, experts believe, are now “The flavour of the season” Ransom demands, though, have hiked sharply. “From ransom amounts of US $800-900, ranging up to US $40,000 made in the past, demands are now in the range of US $4500 to as much as US $7 million,” explains Kumar Ritesh, Head of Singapore based Cyfirma, and former in charge of MI 6 cybersecurity operations. The nature of ransomware used has also changed. “In the past, an attack would see the malware come into your system and blindly aim at your files and folders. But now, one finds these attacks are only aimed at sensitive information such as agreements, and MOUs, so as to be able to collect the maximum ransom. In case you refuse to, they threat to exfiltrate and go public. The Maze ransomware attacks have seen a new way of monetizing they will release a subset of your files as a threat. Others may auction an entire file or folder,” he said.

There are some new varieties too, such as Emotet, which is unique in being a finance driven malware and aims for financial data alone. Emotet can exploit the operating system once it is installed in your browser, and exfiltrate financial secrets and confidential information, and is currently the most popular malware going around, according to Ritesh. Maze Revrel ransomware is another malware that must be feared. “This works in three stages It first gets installed into your system; then searches and exfiltrates, and then encrypts files and folders to demand a ransom.” The recent Cognizant attack, incidentally, was a Maze-driven one, though, as per company sources, not much sensitive data was lost. However, there have been several recent attacks, using the same ransomware, wherein ransom amounts had to be negotiated and paid up. “A multinational legal firm handling the accounts of several celebrities was subjected to such an attack; they had to pay up lest sensitive information was put up in the public domain. A transportation company in India, and a retail giant had similar experiences too,” Ritesh informs.

However, even after paying a ransom, one may not be able to save the concerned files from being released in public, as Sequretek CEO Pankit Desai warns. This would mean losing both the ransom amount, and one’s files.

“When the work-from-home rule was enforced at short notice with the pandemic raging across nations, companies were left with little time to issue cyber-safe devices”

State-sponsored cyberterrorism

Of late, there has also been a spurt in state-sponsored cyber attacks, often traced to North Korea, and China, Desai warns. “In 2017, there was a cyber attack on the Hitachi switches of ATMs, wherein sensitive information related to 17 million financial transactions was compromised. The virus, in this case, exploited the vulnerability of the ATM switches to siphon off money. There was a similar assault on the Bank of Bangladesh using a four-day window, wherein official holidays were taken advantage of by hackers working from multiple international locations.”

Cyfirma has been at the forefront of tracing and countering some major threats in the past few months. Cyfirma’s data scientists tracked the North Korean state-sponsored Lazarus hacker group from June 1-16, 2020 and thwarted the latter’s designs to launch a phishing campaign across US, India, Singapore, Japan, UK and South Korea using emails relating to Covid-19 and the efforts being made by the respective governments in that regard, enticing individuals to take advantage of direct benefit transfers following testing.

In mid-June, Cyfirma intercepted an attempt by a Chinese hacking group (suspected to be Gothic Panda, that has links with the Chinese People’s Liberation Army) aiming to destabilise several Indian media and corporate giants, as also the Ministries of Health, External Affairs and Information & Broadcasting.

Lockdown has made matters worse

Pankit Desai, who has been working with several Indian banks to gear up cybersecurity through his firm, Sequretek, is especially critical of smaller establishments, which often prove sitting ducks to malware attacks, given the easy financial rewards involved due to huge volumes, and weak defences. The lockdown, he admits, has made matters worse. “In the last 10 months, there were 500 small and large incidents that we had to tackle. Of these, the last 10 weeks saw more than 40 per cent such incidents. Hence, he recommends a fool-proof strategy when employees are to work remotely.

“Every organisation needs to invest in creating awareness on malware attacks among its employees; these awareness programmes ought to be a continuous affair, rather than an annual ritual. It is also important to ensure that employees do not use their machines for any personal work. Although there is no silver bullet to cybersecurity, it is important to understand the external ecosystem and the vulnerabilities involved. We recommend backups for all sensitive data every eight hours. For remote employees, a single security control is not sufficient. There ought to be several layers or zones in one’s laptop, or containerisation. Every downloaded folder ought to be scanned on real-time basis; these files ought to be confined to Zone I. In Zone II, the downloaded files ought to scanned again, and then moved into Zone III.”

At the individual level, the modus operandi generally involves using spyware to check out on a system and identify a target and then distribute a Trojan Horse. Once it is downloaded, the malware then goes straight for the target through a phishing attack.

These are common on unsecured devices, as user-behaviour anomaly attacks. To prevent this, he recommends investing in a good antivirus, and careful downloading or opening of mails. “Never use a Windows 7 or below operating system for your machine; Windows 10 would be ideal. Never click on any suspicious mail; check the grammar of any mail received and it will be evident that the source is suspect. Right clicking on the mail, can reveal the source.”

In short, in the best interests of cybersecurity, the experts recommend:

Enterprises should make sure that all devices (both company - issued and personal) that are being used to access the Company’s network have updated security software with auto enable patching
Install a firewall, if one doesn’t exist. Options range from low end to expensive ones. Review your rules on firewalls to ensure rules are correct and no gaps exist. For every mobile user, create a policy on the firewall for access. Secure the communication with VPN technology.
Most firewalls have a VPN feature. Use the same or open-source options. Try multi-factor authentication to ensure no abuse of credentials.
Enterprises can also implement geofencing to restrict traffic within their networks. Thus, if most employees working from home on a project are from Mumbai, then company can make sure that any IP outside the city will not be allowed to enter the environment.
Make sure servers are patched and all recent vulnerabilities are fixed. This could be done by ensuring all operating systems and network devices are hardened, reviewing all applications and making sure that there are no loopholes that can be exploited. Enterprises can make use of vulnerability scanners like Burpsuite, Wireshark or Nmap, if need be, for this purpose.

Individuals, on their part, should:

Look out for unsolicited emails
Check for spelling or odd grammar
Be wary of emails that carry a tone of urgency, luring you to act quickly before a super-duper deal expires
Never divulge personal and financial information
Always check with the respective government authorities if an email requires you to provide private information
Be mindful of emails with attachments, links and log-in pages and pop-up windows.