Malware Risks Triple on WFH Networks: Experts Offer Advice | Threatpost

Researchers say home office networks are 3.5 times more likely than corporate networks to be infected by malware. That statistic comes into sharp focus as the coronavirus pandemic forces companies to shift to a work-from-home workforce. 

Those home networks that remote workers are using corporate devices on are plagued by everything from exposed cable modem control interfaces (via the TR-069 or TR-064 protocols, or other remote management functions) to exposed web administrative interfaces (for their cable modems, routers, cameras, storage, and other IoT devices). 

These risks open up corporate assets, that typically sit behind a company firewall, to a world of network threats prevalent on residential networks, researchers warn on Tuesday. Threats such as the Mirai botnet were observed at least 20 times more frequently on work-from-home networks compared to corporate networks. Researchers also note, Trickbot malware was observed at least 3.75 times more frequently on home office networks than corporate networks.

In this week’s Threatpost Podcast, Threatpost talks to Dan Dahlberg, director of security research at BitSight, who discusses new research that looks at the bevy of threats remote workers face.

Listen to the Threatpost Podcast below or download direct here.

Below find a lightly edited transcript of the podcast.

Lindsey O’Donnell Welch: Welcome back to the Threatpost podcast. This is Lindsey O’Donnell Welch with Threatpost. And today we’ll be discussing some new research about the unique cyber security risks that remote work is presenting, which is obviously a really big topic and the current state of things. So I’m talking today with Dan Dahlberg, who is the director of security research at BitSight. Dan, thank you so much for joining us today.

Dan Dahlberg: Oh, yeah, no worries. Thank you.

LO: Great. And so this week BitSight came out with new research that looked at different networks that were being targeted by malware and in particular, corporate-associated remote office IP addresses. And Dan, that’s pretty important to be looking at today with kind of this unprecedented work from home levels.

DD: Oh, yeah, yeah, absolutely. The what made us particularly interested is there’s been a, with everything that’s happening, a big change in where all the different corporate devices are now sort of residing, you know, not necessarily on a corporate network, but at home. And what we wanted to do was sort of measure what different risks these networks are facing and those devices now on these networks versus the traditional corporate network.

LO: Right, absolutely. Well, one of the top takeaways for me just looking over the research is just the sheer level of increased risk that was present on home networks versus corporate networks. And I mean, there were some pretty staggering takeaways in terms of the threats that were stemming from unprotected networks. For instance, you found that 45 percent of companies had malware on their corporate associated home networks, whereas only 13.3% of companies had malware on their corporate networks. And so, given everyone being remote nowadays, that’s pretty concerning. So just to start, can you tell us about kind of the methodology behind this research? Really how you hunted down the home remote office IP addresses versus corporate ones, and kind of help us better understand what was at risk?

DD: Oh, yeah, absolutely. And I can give you sort of a background of how we approached this and and sort of how we came to our results. So to give a little bit of background on sort of what BitSight does, because it’s pretty important how we actually conducted this exercises, we measure the security performance of organizations using externally available information. So we don’t actually have to go on site at a company to kind of gain information about how they perform in certain areas that we use to measure their performance and ultimately create a security rating. There’s many different data inputs that factor into this measurement, this rating, one of those is looking at compromised systems. And generally we’re gathering this information, doing activities such as sink holing, and effectively trying to understand how different network communicates, and sort of inject ourselves in the process. So what ends up happening is we operate a set of infrastructure that we actually observe infected machines talking to us. So as machines get infected with various forms of malware, they may actually reach out to our infrastructure, we can also gather information depending on the malware in different ways. So some malware implements peer to peer communication, so you can call the peer to peer network to understand all the infected devices in there.

So we have this huge base of telemetry that we use to do this, because for example, going back to compromised systems, if you see that, a given company does have infected devices on their corporate network, it’s a very interesting piece of evidence when it comes to that security performance and the effectiveness of their security controls. But so you have all this telemetry and the second step you really have to do is you have to understand what assets given organizations are responsible for, meaning what IP addresses do they use out on the internet, what domain names do they use on the internet. Because once you can create what we call this company map or entity map, you can then join those two datasets together. So you can say, if you know, if you have the asset list for Company A, and you know that they use these IP addresses for their corporate office, for example, and you then have a set of information that shows infected devices, talking to our infrastructure, you can then join those two together to understand Oh, hey, this device is is, originating from Company A. So those two data sets actually allow us to do a lot of this information gathering.

Now when it comes to this study, we actually went one step further. So we have as part of our normal operations, these company maps that represent the traditional corporate infrastructure. But given as we were just talking about, the threats faced by these working from home networks, we wanted to kind of take that company map and go one step out. Right? So we want to find all the different IP addresses’ networks that are very much closely associated to the corporate networks, but aren’t actually controlled by the corporate networks, or the corporate, where the company doesn’t really have authorization to enforce policies and various other activities. And that’s traditionally gonna be, of course, the residential working from home networks that we want to focus on. So, to do that one step out extrapolation, what we wanted to do was was very much narrow down our search into specifically the work from home office networks. And that’s important to know, because if you do take one step out, right, if you look at the corporate network, and try to see what are the associated re-affiliated networks, we’re actually going to get a lot of noise in that process, you’re gonna get cellular networks, right, you’re going to have devices that have been observed on the corporate network. But basically, this process was, we looked at the devices observed on a corporate network and found what other networks these devices are most commonly seen on and going through that process, using that method, you’re going to get a lot of cellular networks as I just mentioned, you’re going to get situations where Internet Service Providers configure their own networks, where they put many consumer networks behind a single IP address so many homes behind a single IP address, for example. So that can certainly introduce a lot of noise. You can also have other businesses, right? If my laptop’s at at work, and you know, I go and visit another company, for example, and I connect to their guest network, my device will be seen on their guest network. But that’s not the type of networks that we want to be included in this study. So we did some modeling and rules and different heuristics, we sort of removed those networks from being populated in this one step out. So that’s why we’re calling it the working from home remote offices to specifically highlight the fact that we’re trying to exclude these other networks. So largely in that process, we built these different two asset maps, these two different company maps, the assets that the company themselves use, and then the assets that are at one step out from the company network, the different IP addresses that are going to be the home offices and various other activities. And as part of the actual study itself, we were then able to join our telemetry that, you know, I was talking about a moment ago that we traditionally do, we join that to the company maps, we also joined it to these work from home remote office maps. And then that study involves sort of the analysis and the differences between these two different sets. How does the risks for corporate networks differ, compared to the remote office networks, using that same telemetry using the same telemetry about compromised systems data. And the other data set that was part of this study was an evaluation of the perimeter of the network. So for in the sense of corporate networks, looking at what services and ports are open and same for the working from home remote office networks.

LO: right, it sounds like there’s a lot there that can kind of be unpacked and kind of a lot of different factors that you’re really crunching into this study and am I correct in saying that you were looking at a sample of 41,000 U.S. based organizations?

DD: Correct. Yeah. So we based the study and created those different working from home maps based on 41,000 companies.

LO: Right. So, definitely a lot to look at there. Now can you talk a little bit about the main, I guess, risks that were uncovered between the home networks and corporate networks? Especially from kind of the eyes of a cyber criminal, who might be interested in launching these attacks, what were some of the main takeaways in terms of the risks that you guys discovered?

DD: Oh, yeah, certainly. So as I as I just mentioned, we focused this analysis on compromised systems data, as well as the network perimeter data, because one thing we wanted to actually strive to understand and going into your question is, for any given company, when they are building a security program internally within their organization, they are operating under a specific threat model, right, they’re looking at all the different risks that they are facing from all the different activities, that that business is doing, the devices that are being used and the infrastructure that they have to host. And for companies that are not quite used to having employees being able to work from home, especially this persistently, with devices already available to them with proper controls configurations, what is new that is actually being introduced, into their sort of “now” environment right? Into the threat model. So largely, what we’re, you know, running across here is that there are numerous, the basis of these findings are generally geared to the fact that consumer networks are obviously using many different types of devices, at home, right, compared to what the corporate networks are doing, and also at the same time, they’re being managed very differently. So a lot of the major findings and a number of the major findings within the report include both the compromised system differences and the network perimeter. So for example, in the network perimeter, we’re seeing a lot more cases, for example, where there’s administrative interfaces exposed on those on those home networks. And this is coming through cable modems and routers and even devices that users would, purchase and have internally such as home automation systems and network storage and things like that, they may want to be using for different activities. And from the compromised system side, you know, we’re seeing that the distribution of malware, one interesting finding is that there are certain malware families that have a relative terms are seen much more frequently on home networks, than they are on corporate networks.

LO: I know that you had mentioned in the report that you observed, for instance, Mirai to be at least 20 times more frequently observed on corporate associated home networks than corporate networks. And then you also mentioned TrickBot was observed almost four times more frequently on corporate associated home networks, then corporate networks. And I could kind of understand Mirai since it is typically targeting, you know, vulnerable connected devices or IoT devices that are used on consumer home environments. Were there any other types of malware that were targeting these consumer like corporate associated home networks that were surprising to you?

DD: Oh, yeah, yeah. From our study, that was actually quite interesting, is the vast majority of families that we are tracking through the activities I was mentioning earlier, are seen more frequently on home networks than they are in corporate networks. But what was actually fascinating to observe was, the differences of some families in terms of, as you just stated, Mirai was observed far more frequently on home networks than TrickBot, for example. And there are other families that we did observe that have that bias, that strong bias towards the consumer networks. Things such as QSnatch, which was a malware family that was exploiting different vulnerabilities in QNAP systems that are generally geared towards the consumer. You have other families that were also observed targeting certain IoT devices like smart TVs, they’re generally used in the home as well.

But another big group out of that as well was a lot of the malware families that were targeting Android devices, are also observed far more frequently on home networks. And this is likely due to the fact that, if you think of the context of how corporate environments allow mobile devices into their network, the vast majority of them are going to be managed by mobile device management solutions. And those mobile device management solutions as being configured by the different security operations teams, you know, they’re going to enforce certain policies on devices that will make them far less likely to be compromised. So in order for a device to be on a corporate network, the user may have to install a set of policies that actually, of course, helps them secure their device further. So that was another big group of families that were having that kind of more stronger bias towards the residential network. And these were devices that were largely out of  date, they’re running older versions of Android, or they were devices that sideloaded applications, which, you know, enabled that network to get on there. And a lot of different reasons from that side. So we saw that kind of difference grow in this distribution between families.

LO: And it does kind of bring to mind the mobile device management side of things and how important that is right now, with more remote workers being deployed in the workforce. So and you know, what kind of stuck out to me too is a lot of the different types of malware that you guys have discovered do have built in features that are meant to target remote workers like I know, for instance, that the TrickBot malware had recently added a module that was built for brute forcing Remote Desktop protocol accounts. So those are usually used by tech support for troubleshooting or by telecommuting workers.

So, you know, a lot of these malware strains seem like they are kind of looking to tap into this remote workforce. Now, from your standpoint, are you seeing these malware types using kind of spray and pray tactics where they’re pushing out the attack and victims on home networks just happened to kind of fall prey? Do you think that these these attacks are more targeted and are actively sniffing out victims that are on kind of unprotected networks?

DD: No, that’s a good question. So if you if you look at the different credential stuffing attacks, just like TrickBot, and a number of others that are taking advantage of, you know, RDP services exposed on company networks, right, that’s another component actually, that we used to factor into when we measure security performance. Those are, I think, actually probably end up being quite more effective against corporate networks than they are against consumer networks from those credential stuffing type attacks. And when I say that, these attacks are traditionally carried out by these actors taking advantage of all this all these credentials, these usernames and passwords. Now, quite easily available on the internet because of breached companies, right, you know, you see services like Have I Been Pwned, trying to compile them and alert people that their credential has been stolen, to convince them and encourage them to change their password associated them.

So they take all these usernames and credentials and, and throw them at services. And I think the primary advantage or the primary sets of devices or services, right, that these actors are going towards is trying to take these credentials and spray them against other services, right. So if your credentials for a form account was leaked, because the form was breached, the actor is going to try that against your bank. It’s going to try it against your email, right? And they’ve had a lot of success with that. And they now as you just described, right, they’re taking those and trying against these other services in corporate environments such as RDP and doing it that way. When it comes to the home network, unfortunately, the advantage attackers do have in the home environment is that, you know, they’re going to have they’ve demonstrated we have in the past with Mirai, for example, had success, just simply trying to default username and password, that the users may not actually change or the vendor themselves might actually not have given forethought into the actual workflow of setting up the device to actually encourage the user to change it and various other situations. So those those sort of brute forcing credential stuffing attacks, they certainly pose a risk to home networks, but I’d say probably in a slightly different way. I’m sure those credentials actually could be potentially used, even for users who tried to smartly actually secure their home devices. But that’s a little bit of an added workload, I think probably in the malicious actor standpoint. Because a given,RDP session at a corporate network, right, there’s just a single computer and they’re throwing thousands of credentials at it. Versus of course, the distributed home networks. It’s gonna be a lot more effort from that side. But default credentials and credential stuffing are, of course, big risks organizations right now.

LO: I also wanted to ask about the observed expose services that you have detected, what were some of the most common expose services that you found that were impacting these IP addresses? And how did that differ between home remote office IP addresses and corporate IP addresses?

DD: We’ve be mostly been talking about the differences that we were observing on home networks in regards to malware. But, of course, the other thing that we did take a look at was understanding how the network perimeter differed. So for corporate environments, they’re, you know, in order for the organization to actually carry out activities, they may be hosting many different types of services from the website for the organization to, including many other websites to facilitate services that they need to offer, whether or not it’s B2B services or even a consumer portal or test development instances, API’s, etc. They may, of course, also be self hosting their email. So they may have different protocols and services related to email being available and open. As well as many other different things depending on the you know, the type of activities that those corporate networks need to be doing. On the other hand, when you’re looking at a consumer network, there’s generally not a lot of standard expectations that you would have right for home network when it comes to the network perimeter. Like, again, for the corporate perimeter, you know, having having email services exposed, having website exposed having various other activities, whether or not it’s remote access tools, VPN services, things like that. That’s kind of standard, right. But when you’re talking about the home network, there’s not a lot of base intuition on what you would expect, because traditionally, residential networks or home networks aren’t offering those very types of services that are very common on corporate environment side, meaning it’s rather very uncommon for a person to be hosting their own website at home. Of course, it was far more popular historically, but it’s very uncommon now. And same with self hosting emails, same with really any sort of activity that would normally involve keeping a service and port open. There are some exceptions when it comes to, different IoT devices, or even people who may want to be setting up remote access to their own internal tools like home automation systems, where you could expect those services be open. So with that in mind, that’s how we kind of approached this problem. That’s how we kind of approached the studies. You know, what are the different expectations? What do we actually see? So, taking a look more specifically, the the thing that stands out the most and it was largely most expected, is that the biggest difference in service between the corporate network and home network are actually the cult of the modem control management protocols that are being used.

So if you think of things like TR-069 and TR-064, respectively they, of course enable the internet service provider to manage different settings on the consumer systems, right on the consumer modem, right. So you would expect this actually to be far more common. And we actually observed that to be the case. In fact, we saw very few companies actually have the service open, in the cases that it was actually open this likely was a satellite office or some other, very small business accordingly, where they’re actually using equipment provided by the service provider. But in this case, for home networks, if you think of residential networks more best more often than not the person is going to be using equipment provided by the service provider themselves. So the service provider gets to configure that how they wish and often they expose this control interface that allows them to manage that. Other large differences that we’ve seen,  a lot of instances where residential networks were just hosting some, like a website, right. Which is, of course, very peculiar, because you would expect there to be very few but what this turned out to be, were a variety of different administrative interfaces, or control interfaces or any sorts of different products that were, sort of operating on the consumer network, whether or not they were the router itself, or also the modem like admin interface that oftentimes was from what were observed from sampling, often due to the home user actually just disabling their firewall and they disabled their firewall, it exposed this interface and sort of various other activities like that. We saw a lot more file sharing taking place on home network, than on corporate networks because that’s a very standard thing for corporate environments to block accordingly. We also saw unfortunately, a lot of instances where cameras the protocol, real time streaming protocol RTSP that cameras actually used to street video feeds, we saw a number of those services open on home networks. And that’s often because of, you know, cameras that, you know, users will purchase and set up for protecting the home and various other cases like that. But we’re being inadvertently exposed to the internet, a lot of use cases. We also saw some remote access protocols and services such as Telnet, like even those that you would not expect users to be using in any sort of legitimate means, like these deprecated services that even corporate networks should be avoiding such as Telnet again, seeing often exposed on those home networks, for very similar reasons relating back to IoT relating back to different routers and modems as well.

LO: Right. Yeah, I was surprised and also a little disturbed to see Telnet mentioned, this kind of brings to mind the fact that user education is so important here in trying to prevent some of these risks. Do you think that right now with these unprecedented levels of people working from home that a lot of the risks are coming from just a lack of education and awareness? And if so, I mean, do you think this is something that hopefully we can prevent these types of cyber threats from happening in the future? What’s kind of the main driver here?

DD: Yeah, I mean, if you think about it, working from home, of course, isn’t a new concept. You know, we’ve been doing that for many decades at this point, to varying degrees. And there’s going to be different organizations I think, are gonna be more prepared for it than others, you know, for organizations that have sort of, they’ve adopted their security model from day one to sort of be zero trust, right. Basically don’t really trust the device, don’t really trust the local network in any capacity, even if, even if I’m physically next to the resource that I’m trying to access and companies that have instilled that model internally, already are going to be much more ahead of organizations that have sort of put way too much emphasis on the local network itself. And, because of that, the former group, the ones that have been focusing on zero trust have been, building the means of accessing data, building Endpoint Protection technologies and other policies and processes from day one, to be actually quite coherent and to be very sophisticated from that side, and not over relying on a lot of these network based solutions. That of course, require all that network traffic be passing through the corporate network, or at the same time not being used to how these corporate devices are being exposed to untrusted environments at different times. So organizations certainly have to kind of understand not only the threats they’re facing, but also how they build and how they shape their policies internally to deal with this. And certainly for organizations not prepared to have thousands, tens of thousands of employees working remotely, such as the policies configured, you know, they’re facing this higher risk and reflecting back on the home user and other sort of even even these other devices internally within the home network there is certainly education that can help users that the that those companies can help sort of instill. So organizations should continuously be having education to prevent phishing attacks and various other activities. And they should also be including material, for example, on how that user can protect their corporate device further or even encourage them to extrapolate that knowledge into their own home environment. So following manufacturer best practices that are provided. And those various other recommendations and activities that can happen. So there’s going to be organizations that are prepared at a different level here, as far as what the next step forward is going to be, and organizations really have to consider, especially those that have put an overemphasis on the physical access, and having implicit trust on certain networks, and those various other mindsets are going to be the ones that are going to have to make probably the biggest change. And of course, at the same time, you know, they’re not only dealing with these different security model changes, they’re dealing with a different business model change. With everybody working from home and with the economy shaping up, they’re tapped to have to juggle a lot of stuff right now. So it’s an even more amplified problem.

LO: Right, definitely a lot of changes happening at this point. So well, Dan, thank you so much for coming on today to talk a little bit about the network threats that remote workers are facing and breaking down your research.

DD: Oh, yeah. Thank you for having me.

LO: Great. And once again, this is Lindsey O’Donnell Welch with Threatpost and Dan Dahlberg with BitSight. Thanks for listening to us on the Threatpost podcast today.