Anatomy of a Breach

Anatomy of a Breach: COVID-19 — The Pandemic That Expanded the Global Attack Surface Overnight

> series: anatomy_of_a_breach —— part: 135 —— event: covid-19_pandemic —— impact: largest_attack_surface_expansion_in_history<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2020 14 min read
covid-19 remote-working vpn rdp phishing attack-surface pandemic series
Breach #135

Millions working from home. Personal devices. Hastily deployed VPNs. The attack surface exploded.

In March 2020, the COVID-19 pandemic triggered nationwide lockdowns across the UK, Europe, and much of the world. Within weeks, millions of workers transitioned from office-based environments — with managed networks, firewalls, and physical security — to home working environments with consumer broadband, personal devices, shared home networks, and hastily configured VPN access. For cybersecurity, the pandemic represented the largest, fastest expansion of the global attack surface in history.

Attackers responded immediately. Phishing campaigns exploiting COVID-19 surged — with emails impersonating the WHO, NHS, government agencies, and health authorities. RDP exposure on the internet increased by 127% as organisations hastily enabled remote access. VPN appliances — many running the same Pulse Secure vulnerability that had compromised Travelex — became critical targets. And video conferencing platforms, particularly Zoom, faced intense scrutiny as they went from niche tools to essential infrastructure overnight.

The Expanded Attack Surface
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Every home became a branch office. Without branch office security.

Home Networks Are Not Corporate Networks
Home broadband connections, consumer routers, shared family devices, and unmanaged personal computers replaced segmented corporate networks with managed endpoints. <a href="/cyber-essentials">Cyber Essentials Danzell</a> addresses remote working security — including home working device requirements and MFA mandates — precisely because COVID-19 proved these controls are essential.
RDP Exposure Surged
Organisations that could not deploy VPNs quickly enough exposed RDP directly to the internet — the same vulnerability that enabled the <a href="/blog/anatomy-of-a-breach-atlanta-samsam">Atlanta SamSam attack</a> (2018). Our <a href="/vulnerability-scanning">external vulnerability scanning</a> identifies exposed RDP and remote access services.
COVID-19 Phishing Epidemic
Phishing campaigns exploiting pandemic fear — fake NHS test results, WHO guidance, government relief programmes — surged dramatically. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> test staff resilience to current threat themes.
VPN Becomes Critical Infrastructure
VPN appliances became the primary perimeter for millions of organisations. Unpatched VPN vulnerabilities — like the Pulse Secure flaw that hit <a href="/blog/anatomy-of-a-breach-2019-year-review">Travelex</a> — became existentially critical. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched VPN appliances. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors VPN access patterns for anomalies.
The New Normal

Remote working is permanent. So is the expanded attack surface.

COVID-19 was not a temporary disruption — it permanently changed how organisations operate. Hybrid and remote working became the default for millions. The expanded attack surface — home networks, personal devices, VPN dependencies, cloud-first architectures — is now the permanent reality. Security controls must adapt accordingly.

Cyber Essentials Danzell addresses remote working security requirements. Our infrastructure testing includes remote access security assessment. Social engineering testing addresses pandemic-themed phishing. SOC in a Box monitors the expanded perimeter — VPN, cloud, and remote access — 24/7. And UK Cyber Defence provides incident response across distributed environments.

Remote Working Security

COVID-19 expanded your attack surface permanently. Has your security expanded to match?

<a href="/cyber-essentials">Cyber Essentials</a> covers remote working. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses VPN and remote access. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors the expanded perimeter.

Commission a Remote Working Assessment Next: Zoom Security Crisis
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2022

Anatomy of a Breach: Dropbox — Phishing Attack Exposes 130 Source Code Repositories

Breach #167. In November 2022, Dropbox disclosed that a phishing attack had tricked an employee into entering their GitHub credentials on a fake CircleCI login page, giving the attacker access to 130 of Dropbox's private source code repositories on GitHub. The stolen repositories contained API keys, internal tooling code, and some employee and customer data. The attack exploited the trust relationship between Dropbox and its CI/CD pipeline provider (CircleCI) — impersonating a trusted development tool to steal developer credentials.

dropbox phishing
11 min read
Anatomy of a Breach 31 December 2020

Anatomy of a Breach: 2020 Year in Review — SolarWinds, COVID-19, and the Year the Supply Chain Broke

Breach #144 and the 2020 finale. The year COVID-19 transformed the global attack surface overnight, SolarWinds rewrote the supply chain threat model, ransomware claimed its first life at Düsseldorf, Twitter proved social engineering trumps technology, Hackney Council was devastated for two years, Garmin paid $10 million, and the pandemic-fuelled explosion of remote working created new vulnerabilities faster than they could be secured. Then, on 13 December, the SolarWinds/Sunburst supply chain attack was discovered — compromising 18,000 organisations including US government agencies — the most sophisticated supply chain attack in history.

data-breach year-in-review
16 min read
Anatomy of a Breach 30 April 2020

Anatomy of a Breach: Zoom — The Video Platform the World Adopted Overnight and Its Security Reckoning

Breach #136. In April 2020, Zoom — which had surged from 10 million daily meeting participants in December 2019 to over 300 million in April 2020 — faced a security reckoning. 'Zoombombing' (uninvited participants disrupting meetings) became widespread. Security researchers discovered that Zoom's claimed 'end-to-end encryption' was not actually end-to-end. Meeting recordings were discovered publicly accessible on the internet. And over 500,000 Zoom credentials were found for sale on the dark web, obtained through credential-stuffing attacks. The platform that became essential overnight had security practices that had not kept pace with its explosive growth.

zoom zoombombing
12 min read
All Posts Get in Touch