Home offices as criminal footholds
The rapid exodus of employees to work remotely due to the pandemic has brought many consequences. One of them was the disappearance of the border between work and personal, because the connection to the internal network of the office now takes place through “retail” Internet providers, and the simplest household routers are used as a device.
The home network may contain computers of other family members. The latter can connect to the servers of other organizations, study remotely or play, but in any case, their devices create additional risks. It is not uncommon for family members to share the same computer to work in various organizations.
In theory, using a VPN protects the connection to office networks, but you shouldn’t relax too much here, because VPNs also find errors, for example:
The new format for using home networks will inevitably lead to the fact that they will become a springboard for cybercriminals who seek to infiltrate corporate networks. Hacking a home network and getting into an employee’s personal computer is much easier.
Then you can move from system to system, using, for example, malware that exploits vulnerabilities with the potential of a “worm”, such as the recently discovered RCE vulnerabilities in Microsoft Teamsthat doesn’t even require user interaction to use.
The use of home networks as a basic resource to launch attacks on corporate networks will also become widespread in supply chain attacks. Particular attention will be paid to employees who have remote access to confidential and critical information, for example, employees of the sales department, human resources and technical support.
And since home networks typically lack intrusion detection systems and other enterprise-grade security solutions, attackers can permanently gain a foothold in home networks and infiltrate all organizations that home network members have access to.
A logical continuation of the cybercriminal business using home networks will be the growth in offers of access to compromised home routers. The cost of such a “service” will depend on the level of access of the owner of the compromised home device. For example, a hacked router of an IT administrator or a company executive will cost more than a router of an ordinary employee with the minimum necessary privileges in the corporate network.
Pandemic will remain breeding ground for malware campaigns
Cybercriminals use any major news feed to create fraudulent campaigns and the coronavirus pandemic just couldn’t go unnoticed. COVID-19 creates problems for global business, both in the form of lockdowns and restrictions, and in the form of cybersecurity threats.
The second wave brought new restrictions and set the stage for new fraudulent campaigns. Organized crime will try to infiltrate logistics as online shopping continues to grow and the number of parcels delivered increases. The number of shops selling counterfeit products and various illegal goods is likely to grow.
We expect a significant increase in attacks on healthcare facilities, especially those related to vaccine production and telemedicine services. The potential profit from sabotaging laboratories and extortion, as well as the ability to profitably sell medical secrets, will attract a large number of cybercriminals.
Even more widespread will be user misinformation campaigns built around a wide variety of coronavirus vaccines. Criminals will lure visitors to fraudulent resources by offering skip-the-line vaccinations, improved vaccines and other baits to obtain sensitive information and bank card details of their victims.
The Challenges of Hybrid Management
Teleworking has already become commonplace, and the number of remote jobs will only grow in 2021. Using home computers to work on the office network will create a hybrid environment in which work and personal data are mixed on the same device.
This poses a serious problem for organizations that are losing control over the actions of employees, since setting restrictions on personal devices can make it impossible to complete personal tasks. And if the computer is infected with malware, who will perform the recovery and how will the employee’s personal data be taken into account?
Tracking printouts or data exports from personal devices is equally challenging.
To address these challenges in 2021, the zero-trust model will be widely applied, in which any user is considered a criminal until proven otherwise. Based on this, users receive the minimum rights necessary to perform work, which are systematically checked, and all their activity is logged and analyzed.
The zero trust model will integrate with organizations’ cloud perimeters, allowing security teams to track all inbound and outbound traffic.
Rise in criminal use of medical data
Due to the pandemic, all countries began to monitor the health of citizens. The level of collection of personal health data has become unprecedented, and the rush to implement these measures has led to the fact that leaks have become commonplace.
For example, in early December it became known about personal data leakage of 300 thousand Muscovites who have had coronavirus… The information contains the full name, addresses of residence and registration, as well as all information about the course of the disease and analyzes. In addition, there is data on 1C servers and keys for connecting to the COVID-19 patient registration system.
Sometimes the sources of leaks will be the healthcare workers themselves, as happened with healthcare workers, who entered the data to connect to the information system in the Yandex search bar… Yandex obediently indexed this information and offered it to everyone.
Fast access to data can be critical in combating an outbreak, but mitigating data privacy measures is problematic in itself. Large databases of sensitive data, coupled with hasty deployment, will provide a fertile ground for attackers seeking to compromise the collected and stored data. Cybercriminal groups can abuse this in a variety of ways, such as using it to resell or create targeted scam campaigns.
Rapid deployment of known vulnerabilities
Zero-day vulnerabilities – 0-day – are highly effective, but the possibilities of their application are limited by a number of difficulties: the experts who discovered them seek to sell their discovery at a higher price, and, as a rule, there is very little documentation on how to use them.
At the same time, known vulnerabilities or vulnerabilities in n-day are well documented, there are published code examples with a demonstration of work, and all this is available for free.
We expect that in 2021 the cybercriminal community will move to the rapid implementation of n-day vulnerabilities and exploits released by the research community. For example, during Operation Poisoned News, attackers used PoC code for multiple privilege escalation vulnerabilitiesreleased as part of Google Project Zero. Hacker group Earth Kitsune modified for use in attacks exploitsby Project Zero and the Trend Micro Zero Day Initiative (ZDI).
Clandestine markets will offer tools built on n-day vulnerabilities that can be purchased and used by criminals without technical knowledge.
Using vulnerable APIs as attack vectors
Many enterprises use application programming interfaces (APIs) to provide access to internal systems and interact with customers through applications. The problem is that these APIs can be exploited by criminals looking for an entry point into an organization’s network. As APIs are used more and more in the corporate space, attacks against APIs will also increase.
It is alarming that while APIs are ubiquitous, their security is still in its infancy. Because of this, they can become sources of data leakage in corporate applications.
Attacks on industrial and cloud software
We expect an increase in the number of attacks on the most popular programs and services for organizing remote work. The increased amount of research will lead to the publication of disclosed vulnerabilities, which means that experts will have to closely monitor critical class bugs and similar problems in enterprise remote software.
Continuing the trend in 2020, cybercriminals will continue to search for and exploit vulnerabilities in the cloud. And given the movement of data and the entire work environment to the clouds, this will create additional risks for companies.
Another vector of attacks on cloud environments is the introduction of malicious container images into the repository, which will allow attacking users using software containerization services.
We recommend that security professionals move from responding to threats to preventing them. We propose to consider the following as the main areas of focus for 2021:
- Train and train users
Criminals will continue to exploit the fear that surrounds COVID-19, making it essential to educate users and train them to counter cybercrime attacks. Organizations must strengthen their knowledge of threats and disseminate corporate best practices for countering threats to telecommuting workers. A mandatory part of this information is instructions on how to safely use your personal devices.
- Control access to the corporate network from home offices
It is necessary to create security-oriented policies, draw up an incident response plan that covers the entire network perimeter in the new environment. A mandatory part of this policy is a zero trust policy: all users should be considered untrusted, regardless of their location.
- Implement patch management programs
It is necessary to monitor the relevance of the systems and applications of remote users especially carefully, since it is these devices that can become points of entry into the network for cybercriminals.
- Track threats
The new environment will require increased attention to what is happening, so enhanced 24/7 threat detection and incident handling in cloud environments, email, user devices, networks and servers will be an important precondition for protection. Get complete and timely visibility into attacks and prioritize security alerts with leading vendors.