The COVID-19 scare has more people than ever working at home. While this isn’t a new trend, it is affecting people on a much more massive scale now in light of the current health frenzy. The giants have taken heed: Amazon, Facebook, Google, Microsoft among others have all disseminated their office workers in specific regions, and Twitter has gone so far as to encourage all employees globally to work remotely. This is a severe jump from the 50% of employees working outside their main office part time. Mobile workers have often been a cause for concern in the security community, and now, thanks to the Coronavirus, organizations are seeing a complete and unprecedented change in their attack surface – especially ones who are remote-work adverse.
While most firms have an existing remote-working policy, it is worth considering an update given the criticality of its function. Remote working policies are typically quite general in nature and range from the protection of data in public places to policies around device loss or theft. We’re focusing here on the cybersecurity risks surrounding remote work.
Of course a remote-working policy cannot fully eliminate risk – your employees have to adhere to the policy (which is where security awareness training is crucial) and even with that, some exposure will always remain. Aside from this, there is a large population of workers who are now being asked to work from home who are not accustomed to these policies, which adds an additional layer of risk onto your organization.
So what measures can be taken?
Don’t use home PCs for work
Employees are accustomed to a certain office setup designed to maximize effectiveness which isn’t always possible at home. This leads to workarounds that aren’t in line with the company policy: working on devices which aren’t corporately managed, accessing critical applications on unsecured devices, and even using personal (and thus unsecured) storage or sharing mechanisms to name a few.
This introduces significant risk – home PCs may not be patched or have up to date antivirus, and as such are far more likely to be infected with commodity malware (such as a worm or a remote access trojan) with the capability to capture keystrokes, encrypt, or even exfiltrate data. Since a home PC isn’t under corporate jurisdiction, your extensive security investment is largely useless in this scenario which leads to an easier foothold in the early stages of a targeted attack.
Technical Pro-Tip – you probably prohibit the use of home equipment in your remote working policy already. However, if you are about to send the whole company home, you increase the risk of this not being adhered to, particularly with those who don’t normally work in this way. Re-iterate the policy, and consider locking down remote access via IP (enforce VPN), certificate (enforce use of corporate hardware), and implementing DLP controls to prevent documents leaving corporate networks.
Be wary of WiFi – Yes, even in your home
While most people are aware of the dangers of insecure public wifi – in coffee shops or airports, for example, home wifi routers present an attack surface that should be taken seriously.
In 2018, the FBI announced that Russian threat actors had compromised 300,000 home routers from manufacturers including Linksys, MikroTik, Netgear, TP-Link and QNAP, and were able to access user information, issue denial of service, or even redirect traffic using DNS hijacking. Other offensive campaigns remain ongoing, including against D-Link throughout 2019 – so it’s not a problem that is going away.
Technical Pro-Tip: In addition to enforcing VPN, have your employees check for vulnerabilities in a quick, one click DNS hijack detection tool such as this one provided free by F-Secure. Routers that become compromised are typically those bought separately by consumers, and not provided and centrally managed by an ISP. Aftermarket routers are less likely to be updated with the same frequency (surveys suggest that 60% are never updated), and as such are more susceptible to compromise.
Trust but Verify in regards to MFA
Your seasoned remote users accessing corporate systems are likely familiar with at least one layer of Multi-Factor Authentication in order to connect. While having MFA in place is better than not having it, users should be aware that MFA is not infallible. Add in the combination of more people working from home, and increasingly sophisticated attack techniques, it’s important to revisit some common MFA bypasses.
While the practice has been around for a few years, it emerged in 2018/19 as part of targeted attacks on banking customers in particular. The practice involves an attacker socially engineering their victim to allow their phone SIM to be ported back to the attacker, who will pose as IT support. The attacker can then use the phone number – which they now control – to verify Multi-Factor requests associated with the login.
Spoofed login pages
Typically delivered via phishing, these link to malicious copies of corporate login screens (such as Outlook Web Access) and forwards the MFA code to the attacker as soon as the user attempts to login.
More advanced versions of this attack were recently released on the open market, in particular with an attack tool called Modlishka published to Github in 2019. This tool sits as a man-in the middle, loading legitimate webpages (rather than malicious copies) while harvesting the user’s MFA code in real time. Up until recently, this technique had been the domain of custom, targeted attacks – but is set to become more prevalent.
While this one is relatively rare, it’s important to take note. This allows an attacker to intercept SMS messages by exploiting a vulnerability in the protocol used by telecoms companies to route texts and calls. The attack has been used since 2017 in order to intercept MFA communications from banks to their customers. It goes to show how SMS is a relatively insecure multi-factor, particularly in comparison to authenticator apps and hardware keys.
Technical Pro-Tip: MFA is still an extremely effective security control, but some factors are stronger than others and it is definitely not bulletproof. As attacks gain in sophistication, and more people work from home and use MFA to access critical systems, we can expect a greater degree of successful MFA bypass. Continue to educate your users, while also assessing the strength of your MFA solution.
Attacks against conference calls
While most of us are accustomed to conference calls, there are still sensitive topics that are preferred to be discussed in person. With the removal of that option, the conference call becomes the main tool for such discussions, which opens up yet another opportunity for attackers.
Not all conference call platforms are the same. The industry leading videoconferencing platforms are subject to continual security research which means vulnerabilities found are quickly remedied.
More concerning is the traditional conference dial-in system, requiring a phone number and a PIN to enter the call. These PINs are often reused at a later date, enabling uninvited visitors to join. The problem is exacerbated by call providers who may share conference lines among their client base without a dedicated allocation.
Advice – regardless of the conference platform used, ensure that good security practice is maintained. Update videoconferencing clients and plugins in a timely fashion. Ensure that passwords / PINs are set by default, not re-used, and are not distributed beyond the immediate group of people on the call.
The rise of the connected home
Sales of ‘smart’, connected devices for the home have rocketed in recent years, with an estimated 800m sold in 2019 and growth continuing at 20%. Indeed, many of us already have WiFi cameras in the house, smart home systems, smart TVs, and speakers such as Google Home and Amazon Alexa.
The introduction of these devices with such powerful surveillance capability into the home means that the sense of privacy people feel within their own four walls is often unwarranted. Whether discussing sensitive issues over the phone, or even working on a PC, attackers may look to utilize this new, smart device attack surface to access sensitive business information. In some cases, using these devices against home workers may be the easiest route into your organization – an attack would be particularly valuable in the case of senior executive and high profile personnel. This attack vector has already been explored in depth by the intelligence services; one example being CIA researchers developing the ‘Weeping Angel’ attack tool in order to turn Samsung TVs into remote listening devices.
The insecurities within connected IP cameras are more well known, but equally as pressing – with millions of devices running on default passwords (or none at all) and little in the way of patches or updates. These devices are at risk of being exploited by botnets such as Mirai which had captured up to 2.5m home devices at its peak for use in DDoS attacks – or worse, having live views of people’s homes and family life being streamed on sites such as Insecam or Opentopia.
Advice – consider engaging a home-cyber review for your senior executives. Ensure that all staff are aware of the risks presented by smart devices, change default passwords, and patch where possible. Check out our VIP Cybersecurity Program for more information. For those working with sensitive, critical data, removing smart devices from the working area of the home may be advisable.
Working remotely definitely has its advantages, but we need to ensure we are staying vigilant: both the security teams and the end users themselves. The human element will always be a large threat, but maintaining caution can help minimize the risk an organization faces.