Alex Smirnoff,

Glanc, Ltd

The Quarantine Report

CYBERSECURITY IMPACT ASSESSMENT OF COVID-19 OUTBREAK

FOR PUBLIC RELEASE -- COURTESY OF ACRONIS GmbH
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Executive summary

Despite numerous claims from information security vendors, there is no clear evidence that
worldwide COVID-19 quarantine may be reliably associated with a significant outbreak of
cyber-attacks activity. Work-from-Home and remote access changed the attack surface. Yet,
we do not see definite signs of elevated activity -- either from APT groups or from
opportunistic adversaries (which does not imply there is no increase indeed – most
sophisticated attacks may take months to uncover). However, cybercriminals actively exploit
COVID-19 situation in the context of social engineering and phishing attacks – in the similar
way it would be for any "hot" news; general economic recession inevitably reduces
information security budgets, and the necessity to adapt quickly to major infrastructure shift
poses a danger of errors and short-sighted decisions. On the positive side, ubiquitous Work-
from-Home is a promising driver for reconsidering corporate information security
requirements and strategy adjustments. I expect a better focus on users' security awareness
education and speed-up in the adoption of the Zero Trust approach to be a few of long-term
positive shifts.

Attack surface changes

Strategic approach: embracing zero trust

Zero Trust is a concept of authorizing access on a per-application basis with minimal

necessary privileges and taking into account as many relevant trust factors as possible. It
has been around for a while, and it is something that you cannot magically do as a turn-key
solution: it requires long-term planning and slow transition; thus, we see a steady increase of
interest but no quarantine-related spikes.

Figure 1 -- Google Trends for Zero Trust, April 2019 -- April 2020

Zscaler survey reports that 15% of respondents already adopted a Zero Trust solution for at
least some specific use cases, and 78% is looking to do so
(https://www.zscaler.com/resources/industry-reports/zero-trust-adoption-report-
cybersecurity-insiders.pdf). Gartner believes that 60% of companies will phase out VPN in
favor of Zero Trust by 2022, and the Zscaler report is entirely consistent with this estimation.

2
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

The quarantine practically debunked two ubiquitous examples of

wishful thinking in securing user access:

1. The big, “flat” “office” network is safer and more secure than a typical home network.
Maintaining “perimeter” to keep bad guys outside is the key.

2. Active directory membership for the workstation, centrally managed antivirus, and
password complexity policies are necessary and sufficient for the endpoint security.

With almost everyone working from home, the “perimeter” is proclaimed officially dead. And
it is a good thing for everyone because it was already defunct for a while: according to
Rapid7’s report (https://www.rapid7.com/resources/rapid7-efficient-incident-detection-
investigation-saves-money/), 70% of breaches originate on endpoints – and lateral movement
through the means of Active Directory is a typical next step for an attacker.

Now we have the first-hand experience that confirms the fact that if we massively take users
out of the environment that was groundlessly considered “safe”, we see no significant
difference.

There is no full consensus about what exactly “Zero Trust” is from the technology
perspective. In essence, every security vendor has its view, say, while most of them imply
that at a certain point, there would be no need of VPN, Cisco sees its VPN client (or, “more
than VPN” as they pose it) as one of the crucial technologies. Regardless of the technology
stack used, there are two foundational principles that are common for all implementations:
there should be unified fine-grained application-level access control on the server side, and a
hardware-backed credentials storage on the client side to provide strong authentication.

Remote access methods and security implications

VPN is here to stay, and RDP, despite being one of the leading security
risks, is not likely to be abandoned either. Both show considerable
growth during the quarantine period (reversing the general trend of VPN
to gradually decline as we have seen it during the whole Y2019).

3
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Figure 2 -- number of observed RDP endpoints, since June 2017 till the end of March 2020. It is particularly interesting to see major growth in
the most unexpected moment, summer of 2019, when multiple warnings were issued regarding BlueKeep exploit. The increase may be
partially attributed to honeypot activity unless there is a better hypothesis.

Figure 3 -- Number of observed VPN endpoints (all known detectable protocols), since June 2018 till the end of March 2020. VPNs are
being slowly phased out, except for the recent trend.

4
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Figure 4 -- Google Trends for VPN, RDP, and TeamViewer

As I mentioned before, Zero Trust is a strategic approach, but it does not necessarily mean
you can drop your VPN right now. Most likely, not – the transition is gradual. It makes sense
to reconsider VPN usage strategy, secure your applications, tighten application-level access
control and then, probably, move most “popular” services to a different security model that
does not require VPN anymore. But at the beginning of this journey, unless you prepared in
advance, WfH shift typically means more VPN usage than before, and that is what happens
worldwide. As confirmed by Shodan’s report, https://blog.shodan.io/trends-in-internet-
exposure/ number of VPN endpoints significantly raised (initially reported to be +41%, but
corrected later due to measurement artifacts) during March 2020, despite the fact all the
second part of 2019 there was a steady decline.

VPN security

At the beginning of 2019, dangerous security flaws were discovered in several VPN products
(namely, Pulse Secure, CVE-2019-11539 and Palo Alto, CVE-2019-1579), and those
vulnerabilities (as well as previously discovered Fortinet VPN vulnerabilities CVE-2018-
13379, CVE-2018-13382, and CVE-2018-13383) were later exploited by cybercriminals.
NSA warned about nation-state APT actors using those three in October 2019
(https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-
VPN-VULNERABILITIES.PDF). Later, as the COVID-19 situation progressed, Microsoft issued a
warning regarding REvil ransomware group activity towards healthcare organizations
(https://www.microsoft.com/security/blog/2020/04/01/microsoft-works-with-healthcare-
organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/),
giving special attention to these vulnerabilities as an attack vector. It is noteworthy that the
warning does not explicitly state that attacker activity has significantly increased during the
recent period or attacks became more sophisticated; instead, it is more about general
security precautions that are needed when deploying a VPN. “We haven’t seen technical
innovations in these new attacks, only social engineering tactics tailored to prey on people’s
fears and urgent need for information. They employ human-operated attack methods to
target organizations that are most vulnerable to disruption—orgs that haven’t had time or
resources to double-check their security hygiene like installing the latest patches, updating

5
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

firewalls, and checking the health and privilege levels of users and endpoints—therefore
increasing probability of payoff”. (Microsoft)

The Shodan report also mentions (without exact numbers though) that the increased number
of endpoints affected legacy VPN protocols like PPTP, which cannot be adequately secured at
all.

Figure 5 -- Vulners.com search queries, monthly per topic

Vulners.com statistics is a generally reliable and somewhat predictive indicator of “what is

hot” on the vulnerability side. Both defenders and attackers use it to find information
relevant to the current tasks, and it is “predictive” because it is connected to the attack
planning stage. Again, there is no correlation to the quarantine events, especially when
compared to the impact of more typical factors in line with the vulnerabilities life cycle.

RDP, a closer look

RDP is a typical “band-aid” approach to make the workplace environment accessible in WfH
conditions. Improperly secured RDP access (mostly due to brute force attacks) is today’s
leading initial vector of compromise for ransomware. At Q4 2019 it accounts up to almost
60% of attacks, superseding the next “leader”, email phishing, more than twofold (source:
Coveware report, https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-
q4-as-ryuk-sodinokibi-proliferate, also consistent with other sources).

It has a long history of security problems, and most organizations do their best to avoid
exposing RDP directly to the internet, but it still happens and the Shodan report also
mentions noticeable growth here as well. Fraud prevention analysts confirm that here is a
significant correlation between leaked and abused credentials and previous use of RDP
“farms” by the same organization; yet again, it mostly applies to pre-existing setup and those
credentials most likely leaked a long time ago before the quarantine (either brute forced or
may partially be attributed to the famous “Bluekeep” RDP vulnerability discovered in 2019,
see below for exploit limitations).

6
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Figure 6 -- malicious RDP activity as detected by Rapid7. The BlueKeep exploit was published in August 2019. It is quite
noticeable that the Vulners search activity spike, as mentioned above, precedes actual attacks. Unfortunately, there are no
newer data from this source.

Figure 7 -- RDP scanning activity as detected by SANS Storm Center. There is a visible spike at the end of March 2020.

More information on BlueKeep and DejaBlue vulnerabilities may be found in Rapid7 report:
https://blog.rapid7.com/2019/11/07/the-anatomy-of-rdp-exploits-lessons-learned-from-
bluekeep-and-dejablue/

It is worth mentioning that RDP vulnerabilities are almost irrelevant for ransomware
operators: brute forcing credentials is predominant attack vector for RDP, and the most
recent systems for which reliable exploit is available are Windows 7 and 2008R2. DejaBlue
(the exploit variation for all versions including Windows 10) was “predicted” by researches,
but never seen “in the wild” at the time of writing of this report.

7
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Teamviewer and other “rogue” remote access tools

Teamviewer has even worse reputation of a tool frequently used in “shadow” IT infrastructure
without proper authorization and control – which is quite a typical situation especially in SMB
environment, and the company suffered a major security breach that exposed customers’
credentials in 2019. As we can see on the Google Trends graph above, interest on
Teamviewer spiked at the first half of March 2020 synchronously with other access methods,
but has more harsh decline since then, as it appears to be unsuitable for a long term
solution.

Teleconference risks

The most convenient, and at the same time, the riskiest teleconference app of today is
Zoom.

Zoom security issues, summarized in no particular order:

• “Zoombombing”: conference ID’s could be brute-forced, opening Zoom conferences

for invasion by strangers

8
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

• Questionable privacy policy, data collection and alleged selling of attendee data to
third parties like Facebook (class action suit is in progress)

• Insufficient encryption of data in transit

• Conference recordings found on Amazon S3

• Client-side vulnerabilities and questionable application behavior (two 0days were

offered for sale on the black market recently,
https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-
exploit-for-500000 )

• Mass account compromise (500K accounts are currently for sale on the black market
as well)

• Alleged collaboration with the Chinese government

Zoom promised to fix all these issues and revised the privacy policy, but it is still banned in
many organizations.

(source: https://www.forbes.com/sites/alexkonrad/2020/04/03/all-eyes-on-zoom-how-the-
at-home-eras-breakout-tool-is-coping-with-surging-demand-and-scrutiny/ )

Remote access gateways availability and latency issues

For some businesses, especially finance/trading, network latency issues, possible service
unavailability, and an inability for an operator to take necessary actions in a timely manner
may have serious business impact. DDoSing a corporate VPN endpoint might be easier than
attacking a trading platform that faced similar issues previously and made necessary
precautions.

Moving to the cloud

As the “perimeter” is no more, many companies are reconsidering moving everything that
resided on a “local” network to the cloud – including identity management and single sign-
on. Cloud access credentials hijack and document leaks are expected to increase.

9
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Attacker TTP advancements and observed impact

Phishing, social engineering and, for certain industries, DDoS are the only attack types that
directly correlate to date to the COVID-19 outbreak. It would be unwise to underestimate
phishing potential: 32% of data breaches involve phishing, according to Verizon Data Breach
Investigation Report 2019.

Figure 8 -- COVID-themed domain trends (Source: DomainTools via Cyber Threat Coalition)

Observed activity: hackers as opportunistic actors

Opportunistic adversaries unlike APT are more concerned with the individual attack cost
rather than with it efficiency against a particular target. Thus, broadly-targeted low-impact
attacks are more common; time frame is reduced, and maintaining long-term persistence is
rarely an objective.

“The middle of a pandemic is the worst possible time to be hit with a ransomware attack,
especially for healthcare providers. So far, the on-chain data suggests ransomware attacks
— or, at least, ransomware payments — have decreased significantly since the Covid-19
crisis intensified in the U.S. and Europe in early March. [..] We reached out to Bill Siegel, CEO
of Coveware, a ransomware incident response firm, to learn more about the on-the-ground
situation and put the on-chain trends we’re seeing in context. Bill confirmed what the on-
chain data shows at a high level: Covid-19 doesn’t appear to have spurred more
ransomware attacks. ‘I haven’t seen a major material increase in attacks.’”

(Source: https://blog.chainalysis.com/reports/ransomware-covid-19 )

10
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

A regularly updated page covering COVID-19 related cyber-attacks may be found here:
https://www.webarxsecurity.com/covid-19-cyber-attacks/

Observed activity: DDoS attacks

DDoS is cheap, low-tech, generally available and hard to attribute. So there is no surprise
that as the competition becomes more harsh due to universal recession, some businesses
try to take advantage by all means possible. And it is low-tech enough to be used by
teenagers to attack online learning platforms.

Trade
Tourism
Taxi
Social Networks
Real Estate
Promo
Pay system
Data aggregators
Microfinance
Medicine
Mass media
Insurance
Info
Public services
Games
FORex/Exchange
Entertainment
Education
E-commerce
Crypto
Coupons
Betting
Banks
Advertisement
0.00% 50.00% 100.00% 150.00% 200.00% 250.00% 300.00% 350.00% 400.00% 450.00%

Figure 9 – DDoS attacks trends March 2020 vs February 2020. Source: QRator Labs.

Observed activity: ViciousPanda group

Check Point Research discovered a new campaign against the Mongolian public sector,
which takes advantage of the current Coronavirus scare, in order to deliver a previously
unknown malware implant to the target.

https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/

Observed activity: DarkHotel group

11
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

The attacks are being carried out against Chinese government interests worldwide,
according to Qihoo 360.

As the Chinese government turns to virtual private networks (VPNs) to provide access to
official resources for those working remotely amid the COVID-19 pandemic, the DarkHotel
APT has seized the opportunity to target those VPNs in a zero-day attack, researchers said.

According to security analysts from Chinese firm Qihoo 360, attacks began in March on a
Chinese VPN provider called SangFor, used by a number of Chinese governmental agencies.
At least 200 VPN servers connecting to multiple endpoints were compromised as of the first
week of April, they added.

https://threatpost.com/government-vpn-servers-zero-day-attack/154472/

The DarkHotel group is previously known to be using several 0day vulnerabilities in popular
software.

Observed activity: APT41 (DoubleDragon)

Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest
campaigns by a Chinese cyber espionage actor we have observed in recent years. Between
January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix
NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye
customers.

Figure 10 -- APT41 attacks timeline

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-
campaign-using-multiple-exploits.html

Some more technical details on the installed backdoor are available here:
https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-
organizations-globally/

Summary report by Malwarebytes

A good summary on TTPs by several APT groups may be found in MalwareBytes report:
(https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-
Paper_Final.pdf)

12
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Future considerations – threat landscape

I made a few predictions of what kind of incidents to expect.

Accidental data loss

According to DTex’ research, “we know from previous experience that
there is a 78% increase in accidental data loss when employees work
from home [..] In order to work as efficiently as possible on their
local devices employees that anticipate WFH will often copy large
amounts of data to local hard drives or USB tokens. That’s why we’ve
seen a 67% increase in the number of unprotected backups in the past
when a large number of users WFH. Users realize they can work faster
with large amounts of data on their local machine vs. constantly
accessing databases through their corporate VPN.”.

https://www.dtexsystems.com/blog/top-3-security-holes-to-address-for-companies-with-wfh-
employees/

Not surprising at all if we put it into the context of Varonis Data Risk report, mentioned in
Annex B.

Remote access and VPN compromise

I expect “emergency” deployed gateways to be often misconfigured, serviced by

underqualified personnel bypassing standard IT procedures etc. Thus said, a certain share of
them will inevitably be attacked. There were multiple warnings about RDP, let’s hope that
voice would finally be heard.

Phishing and Whaling

I do not expect any dramatic outbursts. If there would be any, it is likely that they are already
to be seen.

New methods of lateral movement

Are “home” networks more suitable for attacker lateral movement? Quite the contrary; you
would not expect your colleague’s workstation compromised with new malware to spread
the infestation right into legacy Windows 2003 server that no one dares to upgrade because
of obscure business intelligence app that requires a very precise version of Java running on
that specific platform with some custom patch set. There could be vulnerable home
automation devices (and that situation raises completely different concerns – what happens
if you save all your passwords in Chrome and someone attacks your hopelessly outdated
AndroidTV which shares the same Google account?). At least network sniffing should not be
an issue if the network is configured properly, and modern operating systems have amazingly

13
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

small network attack surface for desktops in the default configuration. So there is a shift, but
not a catastrophe, not even a delayed one. However, backing up confidential information to
your home NAS or personal cloud may bring you trouble.

Attacking sysadmins, MSPs and stealing cloud credentials

These attack vectors are steadily gaining popularity and this trend certainly will continue.

14
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Future considerations: challenges and bottlenecks

Maintaining and prioritizing security in the context of emergent situation is not an easy task.
Here is a (far from being exhaustive) list of items that may require immediate attention.

Legacy systems need immediate replacement

Risks and/or maintenance costs for outdated systems are considerably higher when there is
a requirement for secure remote access. Making it available via RDP might be the worst
solution ever.

Securing home networks

Unless a company is willing to provide pre-configured network routers to employees, it makes

little sense to invest significant effort into securing the home environment. You cannot
expect a typical employee, even in an IT company, to do proper microsegmentation to create
isolated “work” VLAN at home network, as some security specialists suggest (especially
considering the absence of any uniformity in home equipment and configurations). In most
cases it is enough to make a strong WPA2 password, disable WPS and assume that the
wireless network and the home router itself are still insecure, investing more advanced
efforts to improve the security of the workstation itself. Zero Trust starts here.

IT support and IT security has no on-demand physical access to devices

For IT departments that have a habit of servicing mostly centralized workforce in the office
environment WfH adoption may be challenging. Also, this operational change certainly
complicates incident investigation and response. Enrolling new workstations, 2FA keys etc.
when support staff cannot physically be present to supervise the device activation may be
not that smooth. There also will be inevitable delays when a replacement device needs to be
sent to a remote location.

Endpoint visibility

The amount of data that could be used to detect attacks and breaches is considerably lower
for most WfH configurations, impeding company’s detection and response capabilities. Even
if a VPN is used, split tunnels are “new normal”. For “BYOD” remote access the situation is
even worse.

SOC analysts are working from home, too

And most likely, it would impair their performance when a quick collaborative response is
needed.

15
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Behaviour analytics became harder than ever

Non-typical usage patterns, new locations, work outside of typical working hours – everything
is much more flexible and would lead to a stream of false positive events.

Regulated industries

It is too early for full impact assessment, but in most cases compliance requirements need to
be thoroughly revised to make sure that “emergency” procedures are covered with
appropriate compensating controls. After the initial shockwave settles, there will be a lot of
unanswered questions.

16
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Annex A: Private sources of COVID-19 related threat intelligence

Annex A is left blank in the public version of the report.

17
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Annex B: Public threat intelligence reports from 2019

All these reports are from pre-quarantine period, but they provide useful insight into the
context in which attackers operate.

Akamai 2019 Financial Services Attack Economy Report

Due to specifics of Akami’s business, this report is focused on web/network services

statistics (vulnerabilities, DDoS, authentication, fake domains) and does not cover endpoint
issues.

https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-
financial-services-attack-economy-report-2019.pdf

Verizon Data Breach Investigation Report 2019

I think this one does not need an introduction

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-
report.pdf

Coveware 2019 Q4 Ransomware Marketplace report

Coveware’s Q4 Ransomware Marketplace report aggregates anonymized ransomware data

from cases handled and resolved by Coveware’s Incident Response Team, and other
Incident Response firms that utilize the Coveware Incident Response Platform to manage
their own cases. This report discusses data points like the average ransom amounts, data
recovery rates, and ransomware attack vectors. [..] In Q4 2019, ransomware distributors
continued to prove that they are economically rational. The mass availability of Remote

18
 The Quarantine Report: Cybersecurity Impact of COVID-19 2020

Desktop Protocol (RDP) credentials to corporate networks for as little as $30 per IP address
has made carrying out a targeted attack extremely cost-effective for the attackers.

https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-
sodinokibi-proliferate

Proofpoint Beyond the Phish Report

Cross-industry study of user behavior regarding phishing activities

https://www.proofpoint.com/us/resources/threat-reports/beyond-phish

Varonis 2019 Data Risk Report

The report has some sampling bias – the data were collected from Varonis customers, which
are typically “bigger than average” companies; yet it contains several very amazing insights
into the depth of information life cycle and identity management problems, supported with
quantitative data across the industries, geography and company sizes.

• The average company found more than a half million sensitive files (534,465)
• 17%(117,317) of all sensitive files were accessible to every employee
• 40% of companies found over 1,000 stale but not disabled user accounts
• 53% of data, on average, was stale

https://info.varonis.com/hubfs/Varonis%202019%20Global%20Data%20Risk%20Report.pd
f

19
Acknowledgements
This research was sponsored by Acronis GmbH.
Cover image credits: Karen Arnold
Vulnerabilities search trends: Kirill Ermakov, Vulners.com
DDoS statistics: Artyom Gavrichenkov, Qrator Labs.

Glanc, ltd is consulting company focused on fine-tailored information security risk

assessment, architecture review and strategic planning. We are also current
maintainers of Seccubus, an open source continuous vulnerability management
solution. Contact us for more information.

+359878830030
arkenoi@gmail.com

facebook.com/glancltd
Varna, Bulgaria