WFH employees overlook home broadband network & router security, land companies in ransomware muddle

Remote working presents significant risks to individuals and companies. And supporting the work-from-home model is one of the biggest IT challenges now in this pandemic.

Security experts assert that it is key to have standard technology setup at home, however, home office setups may have poor connectivity, unapproved software, and lack proper security patches.

Working without the protection of a secure corporate network, both company as well as personal data are at risk of being compromised by hackers.

Kumar Ritesh, former British Intelligence honcho, who owns a threat discovery and cyber-intelligence analytics company – Cyfirma, says that India is a haven for start-ups, and a futile ground for technological innovation, sparking the generation of massive amounts of data that attract cybercriminals. The digitally savvy, and the youthful population lives the mobile-first, hyper-connected lifestyle that creates a big attack surface for cybercriminals to abuse. Additionally, while digital adoption is breaking new grounds, the corresponding cyber maturity is low and not keeping pace with the technological strides.

“All these factors are prompting more nations – especially India’s geopolitical foes - to partake in the cyber game targeting India, where offline military and economic might is negated to position all participants on an even playing field. The Big 3 - namely China, North Korea, and Russia, authoritarian regimes that are suspected of aiding state-sponsored cybercriminal activities – have shown interest in breaching India's security perimeters,” says Ritesh.

He is sure that remote working has resulted in new attack vectors. Ritesh says integration of business applications with third-party systems can create new vulnerabilities, and employees unaccustomed and untrained in cybersecurity practices can heighten digital risk. As said earlier, Ritesh believes that trade wars and geopolitical tensions in India have also become a catalyst triggering a transformation in the ways we manage and operate technology. They have accelerated digitalization and brought about the inevitable rise in the intensity and sophistication of cyberthreats.

Cybercriminals are gravitating towards stealing personal behavioral information collected from the likes of smartwatch, fitness tracker, browsing patterns, and health apps.

“As digital landscape expands and hackers and state-sponsored groups extend their cyber warfare into businesses and homes, reining in cyber threats and risk requires a mindset shift towards an intelligence-based predictive approach, which Cyfirma’s newly launched - DeCYFIR platform is designed to do. The platform can decode threats and uncover hidden signals in the hyper-connected world,” comments Ritesh.

Porous home broadband networks pose huge risk

Global cybersecurity research and solutions provider TrendMicro’s Head in the Clouds study surveyed more than 13,000 remote workers across 27 countries to find out more about the habits of distributed workforces during the pandemic. The study’s results were a revelation of a kind.

Through the study, it was known that 42% of workers in India use personal devices to access corporate data, often via services and applications hosted in the cloud. These personal smartphones, tablets, and laptops may be less secure than corporate equivalents and exposed to vulnerable IoT apps and gadgets on the home network. Alarmingly, the study showed that about 37% of remote workers surveyed do not have basic password protection on all personal devices.

The research also revealed that 81% of remote workers in India connect corporate laptops to the home network. Although these machines are likely to be better protected than personal devices, there is still a risk to corporate data and systems if users are allowed to install unapproved applications on these devices to access home IoT devices.

Alarmingly, the study showed that about 37% of remote workers surveyed do not have basic password protection on all personal devices.

More than 57% of Indian remote workers have IoT devices connected to their home network, 12% using lesser-known brands, the study revealed. Many such devices – especially from smaller brands – have well-documented weaknesses such as unpatched firmware vulnerabilities and insecure logins. These could theoretically allow attackers to gain a foothold in the home network, then use unprotected personal devices as a stepping-stone into the corporate networks they’re connected to.

There’s an additional risk to enterprise networks post-lockdown (as more suspensions of lockdowns are announced in major cities and in less COVID-19 positives are reported) if malware infections picked up at home are physically brought into the office via unsecured personal devices at organizations with bring-your-own-device (BYOD) practices.

Cyfirma’s Ritesh also warns that cybercriminals are interested in exfiltrating personally identifiable information (PII), financially identifiable information (FII), M&A data, intellectual property, and various communication details (e.g. confidential information shared over video conferences). Remote working also exposes employees to credential theft as hackers seek to break into corporate systems and various applications. Based on his company’s research, Ritesh says that cybercriminals are gravitating towards stealing personal behavioral information collected from the likes of smartwatch, fitness tracker, browsing patterns, and health apps.

Botnet battle for home routers - users caught in the middle of new cybercrime turf war

Based on the findings of another relevant study, Trend Micro warned consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The report urges users to take action to stop their devices from enabling this criminal activity.

A recent spike in attacks targeting and leveraging routers indicates that increased abuse of these devices will continue as attackers are able to easily monetize these infections in secondary attacks.

Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale.

“With a large majority of the population currently reliant on home networks for their work and studies, what's happening to your router has never been more important," says Jon Clay, Director of global threat communications for Trend Micro. “Cybercriminals know that a vast majority of home routers are insecure with default credentials and have, hence, ramped up attacks on a massive scale. For the home user, that's hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we've seen in past high-profile attacks.”

Trend Micro's research revealed an increase from October 2019 onwards in brute force log-in attempts against routers, in which attackers use automated software to try common password combinations. In March 2020, Trend Micro recorded almost 194 million brute force logins.

This trend is concerning for several reasons. Cybercriminals are competing with each other to compromise as many routers as possible so they can be conscripted into botnets. These are then sold on underground sites either to launch Distributed Denial of Service (DDoS) attacks or as a way to anonymize other attacks such as click fraud, data theft, and account takeover.

Competition is so fierce that criminals are known to uninstall any malware they find on targeted routers, booting off their rivals so they can claim complete control over the device.

For the home user, a compromised router is likely to suffer performance issues. If attacks are subsequently launched from that device, their IP address may also be blacklisted – possibly implicating them in criminal activity and potentially cutting them off from key parts of the internet, and even corporate networks.

Trend Micro is certain that there is a thriving black market in botnet malware and botnets-for-hire. Although any IoT device could be compromised and leveraged in a botnet, routers are of particular interest because they are easily accessible and directly connected to the internet.

The modus operandi

Phishing attacks have intensified with WFH and attackers are targeting the ‘unsupervised’ workforce. With the COVID-19 pandemic forcing employees to work from home, threat actors are keen to target them while they are away from their organization's security implementations.

COVID-19 pandemic was massively leveraged as part of threat campaigns. Ritesh says that his company Cyfirma uncovered the North Korean Lazarus group planning a large-scale phishing campaign targeting more than 5 million individuals and businesses across six countries and multiple continents.

Threat actors deployed attacks that maximized the exploitation of the organization's security errors and oversight. Attack methods included abuse of Apache and IIS webservers, identifying loopholes to target Cloudflare – the preferred safeguard for servers/websites, port scanning followed by brute-forcing, etc.

Commodity malware is increasingly employed by state-sponsored hacking groups. The latter, including Stone Panda and Lazarus, are utilizing malware that is available for purchase, or as part of a licensing and delivery model, including Emotet, Ursnif, TrickBot, etc., increasingly as drivers of their campaigns.

Threat actors deployed attacks that maximized the exploitation of the organization's security errors and oversight.

According to Ritesh, ransomware operators are adopting a 'name and shame' modus operandi. All the major operators, including those managing NetWalker, Sodinokibi, Maze, DoppelPaymer, etc., are now exfiltrating data alongside the encryption of the victim's systems. This data is then used as leverage to force the victim to pay the ransom.

Identifying and mitigating risks arising out of porous home networks

Hackers have discovered, very quickly, that it is easy as well as lucrative to target employees working from home. Without the protection of the corporate network, remote workers are vulnerable to social engineering tactics, phishing campaigns, VPN weakness, and porous home networks.

Traditional ransomware is what’s called a two-phased attack where hackers would infiltrate the network and encrypt files. When ransom payment is paid, hacker would release the decryption keys. In the recent ransomware attacks, the method includes a third step where data would be exfiltrated or stolen.

Hackers would proceed to release the sensitive data onto public forums in their attempt to extract maximum financial benefits. Victim organizations that are unprepared could be left with the choice between paying a ransom demand and totally give up on the stolen data.

Cybercriminals would use phishing emails, RDP (remote desktop protocol), or exploit a vulnerability (in operating system, network, application, web) to gain access to target systems and implant the various malware (such as ransomware) to achieve various objectives.

To prevent cyber-criminals from achieving their objectives, organizations can take measures related to how they use technology, implement processes, and educating people.

When it comes to processes, businesses should perform threat profiling, creation of threat segmentation, zoning, and risk containerization.

“For many small and medium businesses looking to ensure cyber resilience and this includes averting ransomware attacks, it is important to build a basic level of cyber hygiene. The most important being ‘people’ where employees and individuals must be educated on cyberthreats and risks. This is particularly vital given the prevalence of phishing attacks and social engineering hacking campaigns. From the technology perspective, businesses should incorporate layered defenses with data and endpoint security, gateway-based security, automating scanning, monitoring, and malware removal,” educates Ritesh.

Antivirus solutions, data loss detection and protection, and VPN solutions should also be incorporated. When it comes to processes, businesses should perform threat profiling, creation of threat segmentation, zoning, and risk containerization. Keeping the core content encrypted would be both prudent and necessary. The basic process of daily data backup would be a good policy to adopt too. When it comes to governance, businesses should incorporate good cyber threat visibility and intelligence program to complete their cybersecurity strategy.

Ensure confidential files repositories are not on employees' local computers but are instead residing in a secure cloud that can only be accessed via VPN.

Here are some golden cybersecurity tips laid down by Ritesh

There are a number of security controls which can be put in place to mitigate the risk of remote working and they are as follows:

• To prevent company and personal data from being exfiltrated, ensure adequate data protection solutions are in place to control the inflow and outflow of data
• To prevent company contact details and other personal information from being compromised, implement malware and phishing detection controls
• To prevent company financial details from being stolen, limit who has access to files and how files are shared. Ensure confidential files repositories are not on employees' local computers but are instead residing in a secure cloud that can only be accessed via VPN.
• To prevent personal behavioral information from been stolen, use endpoint security controls such as firewall, file integrity checks, and behavior analysis tools to detect an anomaly
• Keep credentials to corporate systems safe in a vault and implement a rigorous identity management system
• To avoid cybercriminals from gaining access to corporate systems and applications, let remote employees use thin-client solutions or virtual machines to access corporate data.

(Anusha Ashwin: x-anushaa@cybermedia.co.in)

Pic courtesy: Pixabay