Security Week 13: Home Safety

Last week’s news agenda in the field of information security confidently moved from the realm of conditional “computer viruses” to real, transmitted by airborne droplets. Employees of many companies that are able to perform their work remotely are now connected with colleagues and office infrastructure in a purely nominal way. This is not to say that the transition goes smoothly, although a lot of tasks can always be performed not at the workplace, but from anywhere in the world with a more or less reliable Internet.

Last week, Threatpost collectedreviews of security professionals about the risks of udalenka. The main thing: IT-specialists in conditions of mass work of employees from home have much less control over the infrastructure. The concept of the "perimeter of the corporate network", and before that was rather conditional due to the massive use of cloud services, has become completely illusive. In the best case, your colleagues will work from a corporate laptop, with security policies and security software, connecting via VPN. But the option of using a home PC, smartphone, tablet with Wi-Fi network connection with incomprehensible protection is not ruled out.

Naturally, cybercriminals are trying to take advantage of the situation, and it is complicated by the fact that at home, colleagues will be guaranteed to be distracted - by household chores, by children who do not go to school, and so on. In this case, the work becomes not less, but more, and the chances of not recognizing a phishing message are noticeably increased.

To these problems are added purely technical issues of maintaining the infrastructure. If the company has implemented cloud services, the transition to remote work will be almost seamless. And if for some reason you need access to local services? Do all employees have the necessary rights? Are they trained in access to the system? Will a VPN server withstand a large number of simultaneous connections if it was designed only for travel? It is not up to educational initiatives - to keep the equipment afloat.

A typical example of a cyber attack at the most inopportune moment occurredtwo weeks ago at the University of Otterbane in Ohio, USA. Right in the process of transferring all students to distance learning, the organization was the victim of an attack by a ransomware-ransomware. Details in the message are not given, but it can be assumed: in the worst case, it will be difficult to even contact a large number of people to notify them of the availability of infrastructure. Or even more serious: the forced replacement of passwords, which can no longer be carried out, simply by collecting everyone on the premises of the university.

Cybercriminals began exploiting the coronavirus theme in spam mailings and phishing attacks in February: this is the case with any resonant event. For example, here is an analysis of a campaign that distributes the Emotet banking Trojan under the guise of “recommendations for protection against the virus”. Another study with spam email details was published by IBM.

Another thematic attack was discovered by Check Point Research experts ( news , research ). A government-owned newsletter in Mongolia with an attached RTF file exploited the vulnerability in Microsoft Word and installed a backdoor with a wide range of functions on the system. The organizers of the attack, previously seen in similar mailings in Russia and Belarus, received full control over the computers of the victims, arranged surveillance with regular screenshots and upload files to the command server.

And all this apart from the attacks "over the area", for example, on behalf of the World Health Organization, with calls to either download a document or send a donation. WHO staff had to distribute the documentwarning of scammers who have become especially active since the outbreak. Here is an example of sending a keylogger on behalf of an organization.

Where does this exploitation of truly important topics for criminal purposes have, so to speak, the bottom? Probably, these are attacks on medical organizations, hospitals and hospitals, where people's lives depend on the equipment connected to the network and sometimes vulnerable equipment. Mikko Hipponen of F-Secure on Twitter gave an example of an attack not on a hospital, but on a local organization informing the population (“our site is down, write to the mail”).

Let's get back to corporate defense in the conditions of a total udalenka. The Kaspersky Lab blog provides other examples of exploiting the coronavirus theme. Intrusive spam with phishing links or prepared attachments switched to the theme of coronavirus (“see information on delivery delays”). They sent targeted mailings supposedly from government agencies with the requirements of some urgent action. The methods of counteracting such campaigns under quarantine have not changed; the possibilities for attack have expanded, exploiting both less secure home infrastructure and general nervousness.

What to do? First of all, keep calm and not give in to panic. Another Kaspersky Lab blog post summarizes recommendationsfor the protection of "remote workers". For the Habr audience, they are obvious, but it's worth sharing with less savvy colleagues.

• Use a VPN.
• Change the password for your home router, make sure your Wi-Fi network is secure.
• Use corporate collaboration tools: it often happens that a person is used to some other service for web conferencing, file sharing, and so on. This makes it even more difficult for the IT department to control events.
• Finally, lock your computer when you leave your workplace. Not necessarily because a corporate spy will get into your home. And at least so that children do not accidentally answer an important conference call.

What else happened :

Adobe released an extraordinary patch for its products covering 29 critical vulnerabilities, 22 of them in Adobe Photoshop. Another important recommendation for remote work (and not only for it) is to remember to install updates.

New horizons for the use of non-standard characters in domain names for phishing and other evil deeds. Summary of the post: ɢoogle and google are two different things.

A scientific study with the analysis of telemetry sent by popular browsers. Spoiler: Microsoft Edge receives the most statistics from users, including unique persistent identifiers.

Recently discovered vulnerabilities in Zyxel's NAS devices exploit another botnet.

The story is in detail: how the researchers found (and Microsoft later successfully fixed) a serious error in the configuration of the Azure cloud service. Telemetry with access tokens was sent to a non-existent domain.