Redscan is urging businesses to stay alert as employees return to the office post-lockdown, warning that cybercriminals may be waiting for remote workers to reconnect to corporate networks before triggering attacks.
During the COVID-19 pandemic, more employees have been working from home than ever before. This situation has significantly increased cyber security risks for organisations, with many lacking sufficient controls to protect workers outside of the office – something criminals are taking advantage of by targeting unsecured endpoints with increasing regularity.
Over the last eight weeks, Redscan’s in-house Security Operations Centre (SOC) has observed a significant global increase in threat activity targeting its customer base. This includes a surge in malspam, external scanning attempts to identify weaknesses in the use of remote access tools, and account login attempts from unknown locations.
George Glass, Head of Threat Intelligence at Redscan said: “During the COVID-19 pandemic there has been a steady stream of organisations reporting cyberattacks. However, this is only likely to be the tip of the iceberg. Many more organisations are certain to have been targeted without their knowledge.”
According to the Ponemon Institute, the average dwell time – the time it takes organisations to detect breaches – is 206 days. Redscan believes that this figure is very likely to increase during the COVID-19 crisis, particularly if IT and security teams lack the ability to proactively identify the latest endpoint-focused attacks.
Glass says: “To maximise returns, cybercriminals will bide their time in order to conduct reconnaissance, avoid detection and strike at the most opportune moment. As employees return to work post-lockdown and connect directly to corporate networks, organisations need to be alert to the possibility that criminals could be lying dormant on employee devices, waiting for the opportunity to move laterally through a network, escalate privileges and deploy ransomware.”
During the COVID-19 pandemic, there has been a serious rise in malspam campaigns distributing Trickbot, Emotet and other forms of malware – threats that can be difficult to detect without deep endpoint visibility across employee devices.
Glass says: “An over-reliance on traditional AV solutions could lead to the latest fileless and polymorphic malware variants being missed. These variants don’t have static signatures, meaning that the only way to effectively identify and respond to them is by leveraging a behavioural-based approach to detection as well as containing and disrupting malicious activity as early as possible.”
Amongst its own client-base, Redscan has also seen an uptick in USB-related malware which is currently used to mine cryptocurrency, jump air gapped networks and target sensitive documents and data.
Glass says: “Employees that work from home are often more reliant on removable media to transfer files between devices. However, there is a tendency for these devices, particularly if they are personally-owned, to be left unpatched and unscanned.
“Only recently, the Redscan SOC observed a worm that was introduced to a client’s network by a USB device plugged into laptop. Fortunately, the threat was no longer operational – its command and control server had long since been destroyed – but it just goes to show how long a malware infection can remain undetected on removable media.”
Our recommendations
To help organisations minimise the security risks of remote workers returning to the office post-lockdown, Redscan’s recommendations include:
Connect all devices to a guest network
To help minimise security risks, organisations should direct employees returning to the office to initially connect corporate and business devices to a guest or temporary network that is partitioned from the rest of the corporate environment. Business devices can be connected to the full network once sanitised but personal devices should be permanently restricted.
Ensure that antivirus signatures are updated
During the COVID-19 pandemic, many end-user devices with antivirus software installed may not have been receiving the latest virus signatures. This is because devices often have to be connected to a corporate network to receive updates. Organisations are advised, where possible, to allow remote AV updates and ensure that devices are updated before they are fully connected back to corporate networks.
Review and update firewall rules
To provide employees with access to the tools and services they need to perform their job, many organisations are likely to have relaxed security settings such as IP whitelists. As employees return to the office, firewall settings should be regularly reviewed to identify risks such as open ports and ensure firewall policies adhere to the principle of least privilege. Monitoring communications can also help to prevent C2 activity (malware calling back to a command server controlled by an attacker).
Conduct daily vulnerability assessments
With an increase in workers returning to the office, the frequency of internal and external vulnerability scanning should be increased. This will help to identify vulnerabilities, such as unpatched software and use of weak credentials, that may not have been identified as employees worked from home. Organisations should also be alert to the risks of shadow IT.
Monitor networks and endpoints
Proactive network and endpoint monitoring is also recommended in order to help detect and respond to malicious activity while in its infancy. Where possible, audit logging should be enabled on platforms such as Microsoft 365 and G Suite. If SIEM and ‘Next-gen’ AV tools are in place, organisations should ensure then these receive the appropriate security event logs and the latest threat intelligence updates.
Educate staff about the latest risks
As staff return to work, take the opportunity to remind them of the latest security risks and any updates to information and data security policies. While working from home, some staff may have developed bad habits or used personal devices to access corporate data. Given a reported increase in USB malware, raising awareness of the dangers of using removable devices is also advised.