Coronavirus lockdown sees malicious activity on organisational networks triple in the UK and double in the US as staff move outside the corporate firewall
The number of potentially compromised organisational networks in the UK rose by more than 300 percent from January to March, according to security researchers, who said the figures reflect the massive shift to people working remotely over virtual private networks (VPNs).
Finland-based Arctic Security found sharp increases in the number of potentially compromised networks in nine European countries from January to March, as shelter-in-place orders took hold.
Arctic Security detected fewer than 4,000 potentially compromised networks in the UK in January, compared to more than 12,000 detected during the month of March.
The networks were sending out malicious traffic, such as that used by botnets or to scan for vulnerable systems, indicating some systems on the network may have been compromised by hackers.
Most of the malicious activity detected was scanner traffic, followed by botnet traffic and traffic used for distributed denial of service (DDoS) attacks, Arctic Security said.
In March, Arctic found the largest number of potentially compromised networks in the UK, followed by Italy and the Netherlands.
In January and February Italy led the list, followed by the UK and the Netherlands.
The number of potentially compromised networks in the US more than doubled during the same time period, rising from fewer than 20,000 to more than 40,000.
Arctic, which used network-level data from US-based Team Cymru as the basis for its study, said the figures seem to have risen in part because of the rise in staff working outside organisational firewalls, while linked to corporate networks via a VPN.
Such firewalls can prevent compromised systems from sending malicious traffic to the internet, but that barrier is lacking when the system is linked over a VPN.
“When employees are in the office, it seems as though the corporate firewalls function like dams blocking malware-infected machines trying to connect out to the internet either for command and control or to further compromise other vulnerable machines on the internet,” Arctic said in advisory.
The company compared VPN connections to “digging a ditch to the side of that dam”.
The figures show that “criminals have control over resources at an increased number of victim organizations”, said Arctic chief executive David Chartier.
Financial sector targeted
VMware Carbon Black found that between 4 February and 7 April there was a 70 percent increase in remote work.
The company found that ransomware attacks had spiked on days when critical coronavirus-related news was released, suggesting attackers are “being nefariously opportunistic and leveraging breaking news to take advantage of vulnerable populations”.
In March ransomware attacks were 148 percent over February’s levels, with the biggest spikes on 29 February and 1 March, the first being a day that multiple US states declared public health emergencies, and the second the day that the first Covid-19 death was announced in the US.
Financial organisations were the most heavily targeted by cyber-attacks in general, with a 38 percent increase in attacks on the sector from February to March, while retail shrank from 31 percent of observed threats in February to just 1.6 percent in March.
In March, 52 percent of all cyber-threats targeted financial institutions, which Carbon Black said was an “unprecedented anomaly” in its threat tracking data.
Healthcare is normally in the top three of targeted sectors, but in March dropped to the seventh most targeted industry.
Of the attacks on the financial sector, 70.9 percent used the Kryptik trojan, one of the tools used during an attack on the Ukraine’s power grid in late 2015.
“Increased vigilance and visibility into enterprise-wide endpoint activity are more paramount than ever,” Carbon Black said in its advisory.