CERT-EU is the computer incident response team for EU institutions, bodies, and agencies. In addition to hands-on incident response, we also provide our constituents with information on cyber threats that they have been subjected to or that may become important in the foreseeable future.
When EU CyberNet asked me to write about the current cyber threat environment as seen from the point of view of the EU institutions, bodies, and agencies, I can say that the last year has been dominated by one topic: COVID-19. The coronavirus plays an important role even in cyberspace. The threat of the virus and the drastic measures taken globally to stop its spread have left their mark on everything, including cybersecurity. Data related to COVID-19 research, the development and approval procedure of vaccines, distribution and cold-chain logistics – all this is of deep interest to data thieves and espionage agencies. Online fraud attempts and prevalent phishing messages now often involve the topic of COVID-19 one way or another.
The increased number of employees working from unsecured home networks is an additional favour COVID-19 has done to malicious hackers. Numerous companies expect employees to use their own computing devices when working from home, leaving the security setting to the wits of the user. With the risk of overusing an old proverb, we can say that a chain is only as strong as its weakest link. An unconfigured, mismanaged, or neglected home computer connecting to a corporate environment can end up being just that link.
Working from home needs an up-to-date and properly configured Virtual Private Networking (VPN) service to be available to employees. Anecdotal evidence shows that many institutions and companies were, and still are, woefully unprepared for this. At the time of writing, numerous companies are still not using multi-factor authentication (MFA) for their VPN access. This has led to cases where cyber threat actors, be they criminally motivated or cyber-spies, simply log on to corporate networks with a valid username and password combination. How they get them is not always immediately clear, but most probably the credentials are phished or retrieved from compromised workstations of mobile devices. None of this would happen if the VPN log on process would use one more authentication factor, such as a PIN generated by a dongle or a mobile app.
However, MFA is no panacea and needs to be combined with common sense. We can call it cyber hygiene. Cyber hygiene encompasses not clicking on links that arrive in unexpected e-mails, not installing software from dubious sources, not storing multiple MFA components (such as passwords and software tokens) on the same computer, etc. A few significant cyber break-ins CERT-EU has witnessed recently have been the result of lapses in cyber hygiene and could have been less trivial to carry out if users had employed more common sense.
Speaking about other dominant threats, in early 2019 it looked like cryptojacking was going to oust ransomware from the top position of easy compromise monetisation. Cryptojacking happens when criminals gain access to targets of opportunity and deploy cryptomining software to monetise the computing resources available on the victim computer. However, that trend was only temporary as ransomware has now grown into big business. This is aided by several new tactics. First of all, ransomware authors are running affiliate programs. Previously, when a malicious hacker had compromised the infrastructure of a company, it was relatively difficult to monetise that access. One could steal some sensitive information and try to sell it on or reveal the breach to the affected company and hope for some sort of a reward. Things are much better now for the criminally-minded, because affiliate programs allow them to use ransomware as a service, deploying it on victim systems and splitting the profits with the people running that service.
Another new tactic is to download a copy of victim files before encrypting. Should the victim refuse to pay the ransom, these files are then sold on to a highest bidder or released on a dedicated leak site. The threat of that counts as an additional motivation for the victims to pay up.
Trying to predict the future is always a risky undertaking. However, I am quite confident that in the near future, the ongoing COVID-19 pandemic is going to fuel both criminal and espionage activities online. The upcoming vaccination will add another spin to this trend, with espionage actors trying to find out details of vaccine composition, production, and distribution and cybercriminals exploiting the topic any way they can. There is a chance that cybercriminals will conduct what will look like espionage operations, aiming to steal COVID-19 or vaccine related information in order to pass it on for financial profit.
Unfortunately, ransomware is also here to stay, at least in the foreseeable future. Ransomware operators will come up with ever more ingenious ways to “persuade” victims to pay up, forcing the victims to make hard and unpleasant choices between losing their data or paying the ransom, and spurring the growth of niche industries such as ransomware insurance.
The author expresses his personal views in this article.