As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one.
As organizations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors.
“Working from home or online education programs are not new. However, a large, immediate migration of people from enterprise and university networks that are closely monitored and secured, to largely unmonitored and often unsecure home Wi-Fi networks, creates a very large target of opportunity for cybercriminals,” Chris Hazelton, director of security solutions at Lookout, told Threatpost. “These users are outside the reach of perimeter-based security tools, and will likely have higher exposure to phishing and network attacks.”
Attacks Ramp Up
Researchers say that the first rash of efforts aimed at remote students and workers is likely to play on their fears and concerns about what sent them home to begin with – the coronavirus itself.
The concern is more than theoretical. Already, attackers have been leveraging coronavirus-themed cyberattacks as panic around the global pandemic continues – including various malware attacks involving Emotet and other threats. An APT for instance was recently spotted spreading a custom and unique remote-access trojan (RAT) that takes screenshots, downloads files and more, in a COVID-19-themed campaign. And, the World Health Organization (WHO) has issued warnings about scammers pretending to be the organization. That activity is expected to expand along with the expanded attack surface, researchers said.
“In general, attackers are looking for a vulnerability to deliver their attack,” Chris Rothe, chief product officer and co-founder of Red Canary, told Threatpost. “In this case, people’s fear over the virus is the vulnerability attackers will look to capitalize on. If an individual is concerned or stressed about the virus they are less likely to remember their security training and will be more likely to, for example, click a link in a phishing email or give their credentials to a malicious web site.”
This forgetfulness when it comes to security can be especially true for those who are not used to working or learning at home: “People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing,” Colin Bastable, CEO of security awareness training company Lucy Security, said in an email interview. “This increases the risks that they can introduce to their employers and colleagues, by clicking on malware links. So now is a great time to warn people to be ultra-cautious, hover over links and take your time.”
Organizations may be distracted as well, leading to increased risk. For instance, Otterbein University in Columbus, Ohio, was hit with a ransomware attack in the past week, just as it was making preparations to switch to online classes. The situation forced the school to extend its spring break for another week as it dealt with the problem, since it was rendered incapable of delivering online education as planned.
University officials told the local ABC station that it’s unclear what the attack’s infection vector was; and that they’re not sure when things will return to normal – both potential indicators of cybersecurity unpreparedness and IT resources stretched thin.
Top Challenges in Remote Working
A lack of IT resources can bite many organizations as they move to enable remote strategies. When workers and students are sent outside the normal perimeter, managing device sprawl, and patching and securing hundreds of thousands of endpoints, becomes a much a bigger challenge.
“As a security team you lose control of the environment in which the user is working,” Red Canary’s Rothe said. “Have they secured their home Wi-Fi? If they’re using a personal computer, what mechanisms do you have to ensure that device isn’t compromised? Essentially, your network perimeter now includes all of your employees’ homes. Some security programs are ready for this, some aren’t.”
In terms of those that aren’t ready, it’s important to remember that there’s a wide swath of companies that don’t normally enable telecommuting, warned Sumir Karayi, CEO and founder of 1E.
“Government, legal, insurance, banking and healthcare are all great examples of industries that are not prepared for this massive influx of remote workers,” Karayi told Threatpost. “Many companies and organizations in these industries are working on legacy systems and are using software that is not patched. Not only does this mean remote work is a security concern, but it makes working a negative, unproductive experience for the employee.”
The challenges are particularly notable for those working in regulated industries, he added, and those that use proprietary or specific software – such as stock traders or airline reservationists.
“Regulated industries pose a significant challenge because they use systems, devices or people not yet approved for remote work,” he said. “Many companies must have secure environments and devices to meet regulations; it is not possible to secure and certify remote work because of security concerns and unauthorized people gaining access. Proprietary or specific software is usually also legacy software. It’s hard to patch and maintain, and rarely able to be accessed remotely.”
Also complicating the picture: Many organizations, including many schools, have proprietary, on-premise software that will require special configurations in order to be made accessible remotely.
“In a world of growing SaaS and cloud adoption this can be very seamless, but if your systems are all on an internal network the challenge is providing users a secure way to access those systems via a VPN or other networking solution,” Rothe noted.
And, adding insult to injury, workers in regulated industries are often stuck with endpoints that have cumbersome security protocols – which ironically can add to the attack surface.
“When they need help from IT, IT often does not have the right tools, so they have to try and take over the machine, which wastes a lot of time and is a security risk,” Karayi noted.
There’s also of course the specter of an increased threat from the mobile sphere. “Students and workers remaining at home, or possibly stranded in a remote locations are going to be heavily dependent on their mobile devices,” Lookout’s Hazelton said. “Mobile attacks are particularly effective because they often trigger immediate responses from recipients – instant communication platforms like SMS, iMessage, WhatsApp, WeChat and others.”
Best Practices for Remote Working and Learning
Fortunately, companies and schools can plan for distance learning and working in order to meet some of these challenges.
“The first step employers should take right now is to conduct a remote-work tabletop exercise with their key executives and line of business leaders,” said Rick Holland, CISO and vice president of strategy at Digital Shadows, speaking to Threatpost. “You need to inventory your business applications and identify the mission-critical ones. For SaaS applications, follow up with your providers and inquire about their business continuity plans. For on-premises applications that require VPN connectivity, test and validate that VPN connectivity for higher utilization than usual.”
Making risk-assessments of remote workers’ computing setups is essential as well, he added. Questions to ask include how they will connect to the company’s systems, and from which devices.
“The staff could connect from company-issued laptops or options like Citrix or Amazon Workspaces that enable staff to work from any device,” Holland said. “It might also be necessary to roll out new VoIP and increase web conferencing services licenses.”
It’s also important to consider the issue of on-premises software, including costs. “You cannot replace legacy on-premises applications overnight, so increasing VPN capacity to accommodate more staff working remotely could be expensive,” Holland said. “One of the unintended consequences of COVID-19 will likely be increased zero trust adoption that further embraces cloud services, eliminates VPNs, and enables employees to work from anywhere.”
And finally, given the social-engineering aspect of most attacks, user education is more important than ever.
“So yes, make sure your employees and students are up-to-speed with the latest info on the coronavirus and that they know how to protect themselves and their families from the virus itself, as well as all the fraud artists following in its wake,” said Eric Howes, principal lab researcher at KnowBe4.
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.