By: Krupa Srivatsan, Director, Cybersecurity Product Marketing at Infoblox
With the remote working trend on the rise due to the COVID-19 pandemic, many IT managers and corporate leaders have naturally been concerned about the challenges of securing employee’s access to the corporate network.
Given the precipitous nature of the pandemic, organizations have had very little time to prepare for such large-scale remote work, let alone think about how to secure ‘work from home’ users. These remote workers still need to access enterprise applications in the cloud, and work with and store corporate data on their devices.
Security teams now have to think about how to continue to protect corporate resources and data, when most of their employees are not within the corporate perimeter. The existing security stack within the corporate network is no longer sufficient to protect these teleworkers. In addition, teleworking exposes a much broader attack surface as workers use BYOD devices and mobile devices that share home and public Wi-Fi networks, often with a much larger variety of internet of things (IoT) devices than found in a typical work environment. Public Wi-Fi networks present a higher probability that authentication and credentials may be accidentally compromised.
To take advantage of the chaotic nature of these times, bad actors and hackers have been busy launching coronavirus themed cyber-attacks and weaponizing well-known websites that try to provide useful, timely information for the general public. COVID-19 has become the subject line of choice for phishing/spear-phishing campaigns that seek to take advantage of the heightened level of fear and concern.
Let’s take a look at some rising threats that we could encounter.
During March last year, our cyber intelligence unit noted that LokiBot infostealer joined the list of malware campaigns being distributed by cybercriminals taking advantage of the fear and interest in the spread of Coronavirus (COVID-19). We observed two malicious spam email campaigns distributing LokiBot under the guise of providing information on the Coronavirus impact to supply chains.
LokiBot has become popular with cybercriminals as an information stealer that collects credentials and security tokens from infected machines. LokiBot targets multiple applications, including but not limited to Mozilla Firefox, Google Chrome, Thunderbird, as well as FTP.
The email messages of the primary campaign had two subject lines, one of which alleged to be a supply chain update in the context of Coronavirus (COVID-19). The other subject had a more typical payment transfer theme. Both sets of messages had attached files with the same filename that delivered the malicious code.
Another threat that could be on the rise is Lookalike Domains. Cybercriminals are moving to lookalike domains to fool victims in their efforts to impersonate the target organization or brand. Often phishing websites feature domains that impersonate the real brand. These are crafted by cybercriminals to resemble the legitimate brand’s domain. Character substitution is a popular technique employed by cybercriminals with the goal of manipulating users into exposing credit cards, passwords, and other sensitive data.
Researchers also found that cybercriminals are using valid Transport Layer Security (TLS) certificates which is an attempt to make the lookalike domains appear legitimate. In late 2019, researchers note that there were more than 100,000 lookalike domains impersonating legitimate retailers. Industries that can be heavily impacted by these types of attacks are retail and banking, where users typically enter their credentials to execute a transaction.
Your work from home users are still accessing, interacting with and storing corporate data on their devices, as part of their day to day business operations. But they are now doing it outside the corporate perimeter. That data, even if stored on company-provided devices, could be exposed to theft. DNS tunneling or data exfiltration is an attacker technique that uses malware to gather sensitive data from a compromised system. It packages up the data into small chunks and embeds them within a string of DNS queries. The DNS queries carrying the data are then delivered to a server hosted by the attacker on the Internet, where the stolen data can be easily reassembled.
While this is not technically an attack or a malicious campaign launched by bad actors, companies could still be faced with the problem of their work from users accessing websites and destinations not in compliance with their policy during working hours using corporate provided devices. This could include websites related to social media, violence and adult content. While it’s second nature for employees working in the office to know that such access is not appropriate or compliant, at home those same employees may have more of a lax attitude.
Virtual Private Networks (VPNs) have been touted by some as a solution to the challenge of securing employee’s access to the corporate network. VPNs encrypt a user’s web traffic and send it through a private connection to the corporate network, allowing employees to access corporate data and applications with some measure of security and privacy.
Today, however, due to the proliferation of cloud-based applications like Office 365, SFDC, Google Drive, and others, it is uncommon for organizations to rely solely on VPN-based access to corporate resources. Instead, VPN is usually used to access just a small subset of internal corporate platforms, leaving remote users unprotected when accessing these cloud-based applications, and exposed to threats on the internet.
Furthermore, VPNs may not provide the level of security that’s necessary in today’s threat environment. Malicious cyber actors are finding and targeting vulnerabilities in VPNs as employees increasingly use them for telework amid the pandemic. And since VPNs are considered 24/7 infrastructure—that is they are always on to facilitate secure connection to the enterprise network—organizations are less likely to keep them updated with the latest patches. Finally, since many VPN providers charge by the user, many organizations may have a limited number of VPN connections available, meaning that any additional employees can no longer telework or securely access corporate data.
In this environment, one of the best and most cost-effective ways enterprises can secure such a large-scale tele-workforce is by using DNS as a first line of defense. Every connection to the internet goes through DNS—those working from home are typically using either public DNS or DNS provided by their internet service provider, both of which seldom do security enforcement on DNS. Companies are increasingly interested in implementing secure DNS services that can quickly start protecting their remote workforce.
A recommendation is to use secure DNS services that can extend enterprise-level security to teleworking employees, their devices, and corporate networks, no matter where they are located.