Cyber attacks have risen by six-times the usual levels over the past four weeks as the COVID-19 pandemic provides a new catalyst for attackers. Hacking and phishing attempts increased by an unprecedented 37% in a single month between February and March.
Remote working has led to an equally dramatic rise in the number of servers using Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services. The number of devices exposing RDP to the internet on standard ports grew by 41.5% in March. The number of devices exposing RDP to the internet on non-standard but often used alternate ports grew by 36.8%. The number of servers running VPN protocols increased by 33% from 7.5M to 10M over the same period.
RDP has several known security weaknesses and should not be publicly accessible without network gateways, firewalls, and two or multi-factor authentication. Recent ransomware attacks have demonstrated how RDP can be used by attackers as an effective entry point to corporate networks. RDP is the most dominant attack vector for ransomware attacks and is used in over 60% of ransomware campaigns. Compromised servers provide anonymity for attackers which impedes the detection of malicious activity. Furthermore, RDP vulnerabilities such as Bluekeep (CVE-2019-0708) are wormable and therefore can enable attackers to propagate to connected hosts.
VPNs are vulnerable to both client and server side vulnerabilities. The National Security Agency (NSA) issued an advisory in October for vulnerabilities in several VPN products that were actively targeted by state-sponsored and other threat actors. The products include Pulse Secure, Palo Alto GlobalProtect, and Fortinet Fortigate. The vulnerabilities could be exploited to perform remote code execution and intercept or hijack encrypted sessions. VPN-related vulnerabilities were identified as the root cause of the devastating cyber attack suffered by Travelex in January.
The increase in cyber attacks and remote working underscores the need to secure enterprise systems including business-critical SAP applications and infrastructure. The Cybersecurity Extension for SAP Solution Manager performs automated vulnerability scans to support effective hardening of SAP systems. It also continuously monitors SAP event logs to alert for indicators of compromise. Contact Layer Seven Security to learn how to leverage your Solution Manager installations to secure SAP systems from cyber attack.