Askhat - stock.adobe.com
Remote Attacks on Cloud Service Targets Rose 630% Amid COVID-19
As noted in recent federal agency alerts, McAfee confirms hackers are continuing attempts to exploit the COVID-19 pandemic with remote attacks on cloud services increasing by 630 percent.
A recent McAfee report confirms that cybercriminals have been steadily working to exploit the increase in remote work during the COVID-19 pandemic, with researchers finding that remote attacks on cloud service targets increased by a whopping 630 percent during the first four months of 2020.
Researchers analyzed data from 30 million McAfee cloud global customers across all sectors, including healthcare, for its Cloud Adoption & Risk Report to determine the impact the Coronavirus on the cloud environment.
Overall, healthcare is the second most targeted industry when it comes to the vertical impact of external cloud threats with a total of 198 million detected malicious IPs used from China, Iran, and Russia. Recent federal alerts have shown Russian hackers have been targeting vulnerable email servers, while hackers tied to the People’s Republic of China have been targeting COVID-19 research and medical data.
In total, McAfee found the use of cloud services increased by 50 percent between January and April, while use of collaboration services rose by 600 percent.
Hackers have followed suit, increasing their attacks on these platforms by more than 600 percent with the greatest concentration on collaboration services like Microsoft 365.
These attacks fall into two categories: excessive usage from an anomalous location and “suspicious superhuman.” The first type begins with login attempts from a location not previously detected and anomalous to the user’s organization. The hacker then “initiates high-volume data access and or privileged access activity.”
McAfee described suspicious superhuman attacks as login attempts from more than one geographically distant location, “impossible to travel to within a given period of time.”
However, internal and insider threats have remained at the same levels to those before the crisis began. Researchers explained that this likely means that employees are not attempting to steal more data just because they’re working from home.
In fact, most of the attacks detected by McAfee during the analyzed timeframe were external and cloud-native, directly targeting cloud accounts.
Concerningly, enterprise cloud use from unmanaged devices has doubled during the crisis, which has served to expand the threat landscape when users access cloud services from outside of the enterprise managed networks.
“There’s no way to recover sensitive data from an unmanaged device, so this increased access could result in data loss events if security teams aren’t controlling cloud access by device type,” researchers explained.
Meanwhile, the infrastructure of virtual private networks (VPNs) – used to securely connect remote computers to the enterprise network – has been struggling support the drastic increase in remote employees. Many organizations are still using a “hub-and-spoke” network to route cloud traffic, rather than leveraging more modern platforms that directly connect through the cloud.
Further, data shows that employees will always choose the fastest and easiest method, rather than the most secure.
“Threat actors have redoubled their efforts to exploit the distractedness and sudden changes wrought by the world’s response to the pandemic,” researchers explained. “There are important changes needed to implement new delivery models for security in a distributed, work-from-home environment.”
“However, the data shows that the increased risk of cloud-native threats brought by threat actors targeting cloud services far exceeds the risk brought by changes in behavior by employees simply working in a new, remote location,” they added.
To mitigate some of these risks, McAfee recommended organizations ensure they’ve implemented a cloud-based secure web gateway designed to protect against web-based threats without routing trough a VPN.
Further, employees should be allowed to connect to sanctioned cloud services from a corporate device without using a VPN. Rather, data should be protected with a cloud access security broker, an on- or off-premise tool that monitors all cloud activity and enforces security policies of the enterprise.
Administrators should ensure the tool includes device checks, data controls, and are protected from hackers able to access SaaS accounts from the internet.
As repeatedly stressed by federal agencies and security researchers, multi-factor authentication should be employed where applicable to reduce the risk that stolen credentials could be used to access accounts.
Employees can be allowed to use their personal device to access corporate SaaS applications, but access should be conditional when it comes to sensitive data stored in the cloud.
“Securing a remote workforce shifts the major security control points to the device and cloud,” researchers concluded. “A cloud-native approach to delivering security will provide the most complete coverage, capable of reaching devices off-network and connecting to cloud services directly.”
Healthcare organizations should also review cloud insights from the Department of Homeland Security and the National Security Agency to bolster defenses.