The COVID-19 scare has more people than ever are working at home. While this isn’t a new trend, it is affecting people on a much more massive scale now in light of the current health frenzy. The giants have taken heed: Amazon, Facebook, Google, Microsoft among others have all disseminated their office workers in specific regions, and Twitter has gone so far as to encourage all employees globally to work remotely. This is a severe jump from the 50% of employees working outside their main office part-time. Mobile workers have often been a cause for concern in the security community, and now, thanks to the Coronavirus, organizations are seeing a complete and unprecedented change in their attack surface – especially ones who are remote-work adverse.
While most firms have an existing remote-working policy, it is worth considering an update given the criticality of its function. Remote working policies are typically quite general in nature and range from the protection of data in public places to policies around device loss or theft. We’re focusing here on the cybersecurity risks surrounding remote work.
Of course a remote-working policy cannot fully eliminate risk – your employees have to adhere to the policy (which is where security awareness training is crucial) and even with that, some exposure will always remain. Aside from this, there is a large population of workers who are now being asked to work from home who are not accustomed to these policies, which adds an additional layer of risk onto your organization.
So what measures can be taken?
Don’t use home PCs for work
Employees are accustomed to a certain office setup designed to maximize effectiveness which isn’t always possible at home. This leads to workarounds that aren’t in line with the company policy: working on devices that aren’t corporately managed, accessing critical applications on unsecured devices, and even using personal (and thus unsecured) storage or sharing mechanisms to name a few.
This introduces significant risk – home PCs may not be patched or have up to date antivirus, and as such are far more likely to be infected with commodity malware (such as a worm or a remote access trojan) with the capability to capture keystrokes, encrypt, or even exfiltrate data. Since a home PC isn’t under corporate jurisdiction, your extensive security investment is largely useless in this scenario which leads to an easier foothold in the early stages of a targeted attack.
Technical Pro-Tip – you probably prohibit the use of home equipment in your remote working policy already. However, if you are about to send the whole company home, you increase the risk of this not being adhered to, particularly with those who don’t normally work in this way. Re-iterate the policy, and consider locking down remote access via IP (enforce VPN), certificate (enforce use of corporate hardware), and implementing DLP controls to prevent documents leaving corporate networks.
Be wary of WiFi – Yes, even in your home
While most people are aware of the dangers of insecure public wifi – in coffee shops or airports, for example, home wifi routers present an attack surface that should be taken seriously.
In 2018, the FBI announced that Russian threat actors had compromised 300,000 home routers from manufacturers including Linksys, MikroTik, Netgear, TP-Link and QNAP, and were able to access user information, issue denial of service, or even redirect traffic using DNS hijacking. Other offensive campaigns remain ongoing, including against D-Link throughout 2019 – so it’s not a problem that is going away.
Technical Pro-Tip: In addition to enforcing VPN, have your employees check for vulnerabilities in a quick, one click DNS hijack detection tool such as this one provided free by F-Secure. Routers that become compromised are typically those bought separately by consumers, and not provided and centrally managed by an ISP. Aftermarket routers are less likely to be updated with the same frequency (surveys suggest that 60% are never updated), and as such are more susceptible to compromise.
Trust but Verify in regards to MFA
Your seasoned remote users accessing corporate systems are likely familiar with at least one layer of Multi-Factor Authentication in order to connect. While having MFA in place is better than not having it, users should be aware that MFA is not infallible. Add in the combination of more people working from home, and increasingly sophisticated attack techniques, it’s important to revisit some common MFA bypasses.
While the practice has been around for a few years, it emerged in 2018/19 as part of targeted attacks on banking customers in particular. The practice involves an attacker socially engineering their victim to allow their phone SIM to be ported back to the attacker, who will pose as IT support. The attacker can then use the phone number – which they now control – to verify Multi-Factor requests associated with the login.
Spoofed login pages
Typically delivered via phishing, these link to malicious copies of corporate login screens (such as Outlook Web Access) and forwards the MFA code to the attacker as soon as the user attempts to login.
More advanced versions of this attack were recently released on the open market, in particular with an attack tool called Modlishka published to Github in 2019. This tool sits as a man-in the middle, loading legitimate webpages (rather than malicious copies) while harvesting the user’s MFA code in real time. Up until recently, this technique had been the domain of custom, targeted attacks – but is set to become more prevalent.
While this one is relatively rare, it’s important to take note. This allows an attacker to intercept SMS messages by exploiting a vulnerability in the protocol used by telecoms companies to route texts and calls. The attack has been used since 2017 in order to intercept MFA communications from banks to their customers. It goes to show how SMS is a relatively insecure multi-factor, particularly in comparison to authenticator apps and hardware keys.
Technical Pro-Tip: MFA is still an extremely effective security control, but some factors are stronger than others and it is definitely not bulletproof. As attacks gain in sophistication, and more people work from home and use MFA to access critical systems, we can expect a greater degree of successful MFA bypass. Continue to educate your users, while also assessing the strength of your MFA solution.
Attacks against conference calls
While most of us are accustomed to conference calls, there are still sensitive topics that are preferred to be discussed in person. With the removal of that option, the conference call becomes the main tool for such discussions, which opens up yet another opportunity for attackers.
Not all conference call platforms are the same. The industry leading videoconferencing platforms are subject to continual security research which means vulnerabilities found are quickly remedied.
More concerning is the traditional conference dial-in system, requiring a phone number and a PIN to enter the call. These PINs are often reused at a later date, enabling uninvited visitors to join. The problem is exacerbated by call providers who may share conference lines among their client base without a dedicated allocation.
Advice – regardless of the conference platform used, ensure that good security practice is maintained. Update videoconferencing clients and plugins in a timely fashion. Ensure that passwords / PINs are set by default, not re-used, and are not distributed beyond the immediate group of people on the call.
Working remotely definitely has its advantages, but we need to remain vigilant: both the security teams as well as the end users themselves. The human element will always be a large threat