BLOG – COVID-19 response sees increase in potentially exploitable attack surface

Following our previous analysis of the likely cyber threat consequences of the COVID-19 crisis, we look at how efforts to accommodate remote working have also increased attack surfaces.

Following the UK government’s advice in response to the COVID-19 crisis, businesses from many sectors have transitioned to remote working. According to Orpheus data – and as anticipated in our previous blog post – this has resulted in a significant rise in open Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC)  ports, as the use of remote working solutions like Citrix XenApp, Microsoft Remote Desktop Services and TeamViewer are requiring companies to expand their infrastructure. We compared the same set of 2,000 UK based companies in the weeks preceding and following the announcement, with the results displayed in the graph below.

This recent uptick in ports associated with RDP services (mostly 3389) and VNC (mostly 5900) on companies’ networks indicates that this may be a general trend across different sectors, with particular emphasis on sectors such as professional services, financial services, education and even companies in the healthcare sector in response to the recent COVID-19 outbreak. Many of these new connections will have appropriate controls in place – for example strong and unique passwords, restrictions on brute forcing, and two-factor authentication.

However, adversaries will continue to look for potentially vulnerable RDP and VNC services on which they can gain a foothold. RDP instances are routinely exploited by threat actors looking to spread ransomware, as demonstrated by Orpheus intelligence reports, which cite RDP as one of the most common technologies exploited during ransomware attacks. The Zeppelin and Nefilim ransomware variants have recently targeted RDP instances in this way. Similarly, a range of adversaries have also targeted recent vulnerabilities in VPN software to gain a foothold on corporate networks, including that produced by Citrix (CVE-2019-19781) and Pulse Secure (CVE-2019-11510).

Maintaining the availability of working arrangements has been the key priority from an information security perspective during the COVID-19 crisis. However, with the current situation likely to persist, organisations need to ensure that they avoid incurring a technical debt with the other two elements of the information security triad – confidentiality and availability.

We recommend that businesses take precautions when deploying remote working solutions as a response to government lockdown measures, as threat actors are looking to exploit vulnerable companies for profit through ransomware. When setting up RDP or VNC services, companies should ensure the appropriate controls are in place, and thus reducing the prospect of further disruption from COVID-19. Taking a threat-led approach and understanding how your organisation looks from an attacker’s perspective is critical in identifying and ultimately reducing your level of cyber risk.

To understand how Orpheus’ Cyber Risk Rating service can help secure you and your supply chain and to find out your Cyber Risk Rating for free and begin reducing your company’s cyber risk, click here.