Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/15/2021
12:05 PM
50%
50%

Successful Malware Incidents Rise as Attackers Shift Tactics

As employees moved to working from home and on mobile devices, attackers followed them and focused on weekend attacks, a security firm says.

Companies relaxed security controls to help employees to be productive during the coronavirus pandemic, leading attackers to shift their tactics and take advantage of the chaos caused by remote work, according to a report published by cloud security firm Wandera on Jan. 15.

Compared with pre-pandemic times, employees were twice as likely to connect to inappropriate content during work hours and more likely to continue accessing email after being compromised with mobile malware, the company states in its "Cloud Security Report 2021." As a result, attackers shifted attacks to the weekends, and 41% more organizations experienced a malware infection on an employee's remote device.

Related Content:

As Remote Work Becomes the Norm, Security Fight Moves to Cloud, Endpoints

Special Report: Understanding Your Cyber Attackers

New From The Edge: Understanding TCP/IP Stack Vulnerabilities in the IoT

The data underscores that as companies adapted to the realities of the pandemic, attackers sought out weaknesses exposed by the new work arrangements, says Michael Covington, vice president at Wandera.

"Most organizations really had to focus on keeping people being productive, and that meant you had to peel back the policies, and just make it easier for people to get into their applications, to use their devices, and feel empowered, because IT wasn't available to physically go to workers and help them out," Covington says.

The shift in tactics allowed attackers to shift the way they tried to infect those workers in order to catch them when they were at their least vigilant.

For example, while attack trends in previous years showed attackers generally targeted users on weekdays to catch them working from their office environment, when most employees moved to working from home, attackers began shifting to weekend attacks. At their peak, Wandera's data shows that 6% more attacks happened on Saturdays than any other day, the report states.

"That shift is really interesting because it starts to show the new reality of the work device truly morphing into a work-and-personal device," Covington says. "When you don't leave the house anymore, the phishing events and social engineering events — the ways that attackers get into organizations — are not just happening in the context of business email anymore."

Others have noted the impact of the move to remote work on security. In September, a survey of CIOs found that 76% of the executives were worried that content sprawl put company data at risk. An earlier survey found that about six in 10 workers were using personal devices to work from home, and most of them considered the devices to be secure.

Wandera found a similar set of impacts from the move to remote work, with many employees behaving differently. Because workers traveled less, they were about half as likely to use a risky Wi-Fi connection for work. And because personal time and work time blended together, a single device had a greater blend of business and personal applications, says Covington.

"Honestly, they were looking to kill time," he says. "The types of apps that we installed on work devices this year, we would not have typically seen installed. A lot of games and a lot of productivity tools."

The result was predictable: More than half of organizations, 52%, experienced a malware incident on a remote device, up from 37% in 2019, according to the report.

Many analysts — such as PricewaterhouseCoopers — have indicated that the move to remote work will last long after the pandemic ends. Wandera's Covington expects that as well because most organizations and workers believe the greater flexibility has improved their approach to work, he says.

"Everything I'm hearing from people is that their users are happier," he says. "Their users like being personally enabled, like having a choice in applications that they download and use, so I suspect we are going to see more of that."

For that reason, companies need to put a greater focus on security controls for remote workers. One of the best ways to do that, and support the enablement of workers, is to train them in security and make them part of the equation, Covington says. 

The company found some indications that workers are taking responsibility for their security. In 2020, for example, only half as many devices — 3% — had their lockscreens disabled, and only 4% used a risky hotspot in any given week, down from 7% in 2019.

"Culturally, we need to change," he says. "A lot of organizations punish workers if they fall victim to a phishing attack or social engineering attack. We are at the point that we need to acknowledge that these attacks are pretty darn good, and we need to embrace workers as part of the solution."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21302
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2
CVE-2021-21308
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2
CVE-2021-21273
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
CVE-2021-21274
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
CVE-2021-23345
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.