There’s a saying that those who own the information own the world. However, speaking about information security, the whole “world” is not enough – so the cybercriminals’ needs are confined to other people’s data, money, after all, business. Don’t think that attackers are in a constant chase for big fortunes or tabloid scandals: as the statistics show, more than 60% of all small and medium businesses have experienced cyberattacks over the course of 2022.
Small and medium-sized companies are great contributors to the global economy: according to the World Trade Organization, SMBs represent more than 90% of all businesses worldwide. Due to cyberattacks, businesses may lose confidential information, finances, valuable market share – and there are plenty of ways criminals are trying to reach their goals. The less we can do is to count them; what’s more important is to define the threats the SMB sector might be exposed to – and ways they can be detected and prevented. Additionally, small enterprises consider a cybersecurity incident as one of the most challenging types of crises.
Kaspersky experts analyzed vulnerable points SMB might have and outlined some major cyberthreats for entrepreneurs that they must be aware of.
- Data leaks caused by employees
There are different way company’s data may be leaked – and, in certain cases, it might happen involuntarily.
During the pandemic, many remote workers used corporate computers for entertainment purposes, such as playing online games, watching movies, or use e-learning platforms – something that continues to pose financial threats to organizations. This trend is here to stay, and while during 2020, 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.
The level of cybersecurity after the pandemic and initial adoption of remote work by organizations en masse has improved. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network. Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans. If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.
Also, there’s a tendency to blame ex-workers of possible data leaks. However, only half of recently surveyed organizations’ leaders are confident that ex-employees don’t have access to company data stored in cloud services or can’t use corporate accounts. An ex-colleague may not even remember they had access to such-and-such resource. But a routine check by those same regulators might reveal that unauthorized persons do in fact have access to confidential information, which would still result in a fine.
And even if you’re absolutely certain you parted ways on good terms with everyone, that doesn’t mean you’re out of the woods. Who can guarantee they didn’t use a weak or non-unique password to access work systems, which attackers could brute-force or come across in an unrelated leak? Any redundant access to a system – be it a collaborative environment, work email or virtual machine – increases the attack surface. Even a simple chat among colleagues about non-work issues could be used for social-engineering attacks.
- DDoS attacks
Distributed Network Attacks are often referred to as Distributed Denial of Service (DDoS) attacks. This type of attack takes advantage of the specific capacity limits that apply to any network resources – such as the infrastructure that enables a company’s website. The DDoS attack will send multiple requests to the attacked web resource – with the aim of exceeding the website’s capacity to handle multiple requests… and prevent the website from functioning correctly.
Attackers resort to different sources to perform acts on organizations such as banks, media assets, or retailers – all frequently affected by DDoS attacks. Recently, cybercriminals targeted the German food delivery service, Takeaway.com (Lieferando.de), demanding two bitcoins (approximately $11,000) to stop the flood of traffic. Moreover, DDoS attacks on online retailers tend to spike during holiday seasons, when their customers are most active.
There’s also a growing trend towards gaming companies gaining scale. The North American data centers of Final Fantasy 14 were attacked in early August. Players experienced connection, login, and data-sharing issues. Blizzard’s multiplayer games — Call of Duty, World of Warcraft, Overwatch, Hearthstone, and Diablo: Immortal — were also DDoSed yet again.
Something to note is that many DDoS attacks go unreported, because the payout amounts are often not terribly big.
- Supply chain
Being attacked through a supply chain typically means a service or program you have used for some time has become malicious. These are attacks delivered through the company’s vendors or suppliers – the examples can include financial institutions, logistics partners, or even a food delivery service. And such actions may vary in its complexity or destructiveness.
For example, attackers used ExPetr (aka NotPetya) to compromise the automatic update system of accounting software called M.E.Doc, forcing it to deliver the ransomware to all customers. As a result, ExPetr caused millions in losses, infecting both large companies and small businesses.
Or take CCleaner, one of the most famous programs for system registry cleaning. It is widely used by both home users and system administrators. At some point, attackers compromised the program developer’s compilation environment, equipping several versions with a backdoor. For a month these compromised versions were distributed from the company’s official websites, and downloaded 2.27 million times, and at least 1.65 million copies of the malware attempted to communicate with the criminals’ servers.
The recent examples that drew our attention are DiceyF incidents, that were performed in SouthEast Asia. The prime targets were an online casino developer and operator and a customer support platform, that were attacked in The Ocean 11 style. Or the SmudgeX incident comes to mind: an unknown APT compromised a distribution server and replaced a legitimate installer with a trojanized one, spreading malicious PlugX within a South Asian nation to all federal employees who had to download and install the new, required tool. Surely, the IT support managing the distribution server and the developers were affected.
You can encounter malicious files everywhere: if you download illegitimate files, make sure they do not harm you. The most emerging threats are the encryptors that chase a company’s data, money, or even personal information of its owners. To support this, it’s worth to mention that more than a quarter of small and medium-sized businesses opt for pirated, or unlicensed software to cut costs. Such software may include some malicious or unwanted files that may exploit corporate computers and networks.
Additionally, business owners must be aware of access brokers as such layers of groups will cause SMBs harm in a variety of ways in 2023. Their illegal-access customers include cryptojacking clients, banking password stealers, ransomware, cookie stealers, and other problematic malware. One of the examples is Emotet, malware that steals banking credentials and targets organizations around the world. Another group that targets small and medium-size businesses is DeathStalker, best known for its attacks on legal, financial and travel entities. The group’s main goals rely on looting confidential information regarding legal disputes involving VIPs and large financial assets, competitive business intelligence as well as insights into mergers and acquisitions.
- Social engineering
Since the onset of the COVID-19 pandemic, many companies have moved much of their workflows online and learned to use new collaboration tools. In particular, Microsoft’s Office 365 suite has seen a lot more use — and, to no one’s surprise, phishing now increasingly targets those user accounts. Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsoft’s sign-in page.
We’ve uncovered many new ways how phishing scammers are trying to fool business owners, which sometimes turn out to be quite elaborative. Some are mimicking loan or delivery services – by sharing false website or sending emails with fake accounting documents.
Some attackers masquerade as legitimate online platforms to get profit out of their victims: it may be even quite popular money transfer services, such as Wise Transfer.
Another red flag discovered by Kaspersky experts is a link to a page translated using Google Translate. Attackers use Google Translate to bypass cybersecurity mechanisms. The senders of the email allege that the attachment is some kind of payment document available exclusively to the recipient, which must be studied for a “contract meeting presentation and subsequent payments.” The Open button link points to a site translated by Google Translate. However, the link leads to a fake site launched by attackers in order to steal money from their victims.
Summing up, cybercriminals will try to reach out to their victims using every way possible – through unlicensed software, phishing websites or emails, breaches in the business’s security network or even via massive DDoS attacks. However, a recent survey by Kaspersky showed that 41% of SMBs have a crisis prevention plan – thus, do care about cybersecurity and understand how challenging IT security incident remediation can be is a good tendency that hopefully will result in reliable protective measures implemented within these organizations.
To protect businesses from cyberattacks, Kaspersky recommends the following:
- Implement a strong password policy, requiring a standard user account’s password to have at least eight letters, one number, uppercase and lowercase letters and a special character. Make sure these passwords are changed if there any suspicion that they have been compromised. To put this approach into practice without additional efforts, use a security solution with a comprehensive built-in password manager.
- Don’t ignore updates from a software and device vendors. These usually not only bring new features and interface enhancements, but also resolve uncovered safety gaps.
- Maintain a high level of security awareness among employees. Encourage your workers to learn more about current threats and ways to protect their personal and professional life and take relevant free courses. Conducting comprehensive and effective third-party training programs for employees is a good way to save the IT department time, and get good results.
By Kurt Baumgartner, principal security researcher at Kaspersky
13 December 2022