A few security service vendors have released mid-year cyberattack reports and have noted significant changes in attack vectors and methodologies due to the increased work from home and migration to cloud services.
Two areas that have seen the significant changes that are especially relevant are in "Double Extortion" and Cloud service vulnerabilities.
The "Double Extortion" attack is a form of ransomware that has been hitting healthcare and real estate especially hard but everyone is potentially vulnerable. This attack involves a standard ransomware attack, usually delivered via email attachments in phishing attacks but it also exfiltrates data during the attack and demands payment for those files. This evolution of the attack is happening primarily due to the increased visibility on data recovery and restoration. Recently, businesses have hardened their backup policies and procedures due to the prevalence of normal ransomware attacks. This made normal ransomware attacks not as lucrative and the additional exfiltration was added to try and ensure payment after a successful attack.
A major hospital system experienced this last week: https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254?fbclid=IwAR223AyBRTqxkjAxKjftm7D-B3Nt5HZ4mPzUMosSR5v_e4QPFJobmzL7HQ4
Clark County School District is still dealing with this as well: https://www.businessinsider.com/hacker-publishes-students-grades-private-info-after-demanding-ransom-2020-9
The most effective way to combat this threat is to ensure your users are trained on how to detect phishing emails and more importantly not to open any attachments sent to them from someone they don't know. This, as you have seen, isn't 100% effective so a few technical controls can be implemented to combat it alongside the user training. The first would be e-mail filters and antivirus scanning, this can catch and disable most attacks before they get to your users. Another technical control is to use sandboxing on an application firewall to detonate the attachments as they come through. Palo Alto firewalls and Cisco ASAs are the industry leaders in this but there are other vendors with similar capabilities. However, with the work from home environment most companies that are employing a static firewall aren't effective as most users aren't behind it. In those cases ensuring that your endpoints have the most up-to-date and feature full antivirus and anti-malware is the most effective technical defense.
Cloud service vulnerabilities are not necessarily an attack but more of an opportunistic target that is proving very effective to bad actors. With COVID-19 still being an issue most businesses have already, or will be, accepting the fact that work from home is not going away any time soon and are retooling their services to be more efficient and effective with that new workforce. This has led numerous companies to using cloud service providers for either directory services, file services, e-mail services or all three. The issue with these movements are that typically a company is using their in-house IT staff to do these migrations and the IT staff may not be trained or up to date on best practices for cloud services hardening. This has led to a near constant vulnerability scan on the major cloud service providers looking for misconfigured or unconfigured access routes, and is surprisingly effective.
The best defense against these types of attacks is to follow the cloud service provider's recommended best practices and to perform regular vulnerability scans and penetration tests on any internet facing systems and your cloud service provider. The service providers are doing a lot of work to detect and prevent these types of issues but ultimately if an administrator configures a service and does it incorrectly or not to standards they can't really detect or prevent it as it is operating as it was configured.
Below are some sites that provide some general best practices for cloud security but it is always better to find the knowledge base article for the service your company is using and follow that: