As we predicted over 12 months ago, and as we’ve discussed several times in 2020, attacks that exploit the move to Work From Home/Remote Users are on the rise. The CISA (Cybersecurity & Infrastructure Security Agency) recently issued a report about new and trending attacks that exploit the remote user environment. The move to remote work has also accelerated the migration to cloud based computing which has led to a similar rise in the exploitation of those services. What kind of attacks are they, and how can you protect yourself from them?
Which Remote Worker Hacks Are Rising?
The easiest way to descript which remote worker hacks are rising is that they generally exploit “poor cyber hygiene practices within a victims’ cloud services configuration.” And while that’s quite vague, the exploits are what you might expect:
Remote Worker Phishing
Phishing hacks, where counterfeit emails carrying harmful documents, code or links are made to look legitimate. With the rise of remote work, these emails are increasingly made to look like cloud service logins and “secure” messages from the company that require a login to view.
If the remote worker doesn’t detect the email as phishing and attempts to log into the fake site, the credentials are stolen and in turn used by the "threat actors" (a technical term for the bad guys or cyber criminals) to log into the resource, where they can do a variety of different kinds of damage.
Brute Force Login Attempts
When workers left the office and began to work remotely, some companies didn’t take adequate precautions to secure their networks. The CISA cited one case where the organization placed their Terminal Server access point on the internet without configuring it so that it could only be accessed through the company’s VPN (Virtual Private Network). The result was that the login screens were visible to anyone on the Internet, making it possible for Threat Actors to repeatedly attempt to break into the system.
We have not previously discussed this exploit on these pages before. In this scenario, a remote worker may have set up forwarding rules on their organizational email account so that mail was sent to their personal email accounts. The rules were modified by the Threat Actors to send the emails to their own email accounts, giving them copies of confidential information contained in those emails.
These same methods could be used by Threat Actors to forward all email to that user, or to implement search filters so that all mail containing certain keywords (ie account information, login credentials, etc), giving the Threat Actors access to virtually any organizational information they wish to receive.
How To Guard Against Remote Worker Hacks
The short version of this story, and those we repeatedly report on in this space, is that there is no end to the creativity of Threat Actors who want to breach a system more than the organization wants to protect that same system. As a result, the CISA published a list of 21 recommendations for helping to protect organizations from these Remote Worker Hacks and others. Among them...
Multi-Factor Authentication (MFA)
No method can or should stand alone as a defense against hacks, breaches and other exploits, but MFA remains one of the single most effective methods of preventing unauthorized access. With MFA, each login attempt is followed by a secondary method of confirming the login credentials, often as a text message with a special code sent to the user’s mobile phone. The system -- whether it’s a cloud or internal system -- then requires the code in order to proceed with the login.
Without the code, the hacker cannot gain access to the system. However, as the CISA noted in its report, even MFA is not 100% effective, since social engineering (ie Threat Actors lying to you) and other technical methods could possibly circumvent MFA.
Modern cybersecurity technology requires each system to maintain access and user logs of all activity. Even in a small organization, there could be dozens of systems, each with thousands or millions of lines of logs generated every day. Auditing those log files manually is impractical, which is why SIEM systems were created.
These Security information and event management systems can automatically combine, review and integrate activity across all your systems, synthesizing the data in order to create a unified picture of the organization’s activity. This makes it possible to identify unusual patterns and unauthorized access by Threat Actors.
Review Forwarding Rules
Require the regular review of all email forwarding rules, and consider restricting the automatic forwarding of emails outside of the organization.
Don’t Allow Personal Devices
The CISA recommends that organizations consider policies that do not allow employees to use personal devices (cell phones, laptops, etc) for work. Not allowing these personal devices also has the added benefit of simplifying access rules because fewer scenarios need to be managed.
Block Older Access Methods
Technology is often updated to incorporate higher levels of security. By allowing older “legacy” authentication protocols, such as WEP, Transport Layer Security (TLS) 1.0, POP3 or IMAP email, and hundreds of others, organizations open themselves up to exploits in the weaker security protocols that those systems support.
Focus on Awareness Training
Organizational security depends on everyone’s participation and support. If users are not aware of the importance of security protocols, reasons for their existence, why it’s not wise to try to circumvent them, how to identify potential security issues like Phishing, Social Engineering, and other suspicious activity, then they are less likely to respond appropriately to them.
Big Business CyberSecurity On A Small Business Budget
And while the CISA’s list for preventing remote worker hacks is long, it’s not entirely comprehensive or as detailed as it could be. At Digital Uppercut, our Business Protection Toolkit can help small and medium sized businesses like yours achieve the same kind of security that big businesses with big IT departments and big IT budgets have. Contact Digital Uppercut today to learn more, and to help prevent your company from becoming a victim of remote worker hacks, internal hacks, breaches, ransomware and other malware attacks. Call us at 818-913-1335 or contact us online.