Work-from-Home Intensifies Network Compromises, Study Shows

A recent study conducted by Finnish company Arctic Security found that the massive work-from-home movement as a result of the COVID-19 crisis has resulted in the intensification of network compromises.

According to Arctic Security, between January and March of this year, it observed an uptick in the number of organizations experiencing network compromises. Arctic Security said that for a small country, Finland’s normal number of organizations that experience network compromise is approximately 200. Starting in the third week of March of this year, the company said, the number of organizations that experienced network compromise jumped to 800.

This uptick of the number of organizations that experienced network compromise, Arctic Security said, was also observed in eight other countries in Europe, including Sweden, Norway, Denmark, Netherlands, Belgium, UK, Austria and Italy, with more than 10,000 organizations had their network compromised in March 2020.

The same uptick of the number of organizations that experienced network compromise, Arctic Security said, was also observed in the U.S., with the number of organizations that experienced network compromised, more than doubled, from 20,000 in January 2020 to more than 50,000 in March 2020.

Strong Correlation Between Numbers of Compromised Networks and Increase in Remote Workers

According to Arctic Security, there’s a strong correlation between the numbers of organizations that experienced network compromise and the increase in remote workers. The week that the uptick happened in Finland, the Finnish Government had issued a strong recommendation for citizens to stay home and work. This stay-at-home guidance had also been put in place in other European countries, in the U.S. and in most countries worldwide.

Arctic Security said that work from home means the number of people using a virtual private network (VPN) to connect to their organizations’ systems has increased by orders of magnitude. “Our analysis indicates that the employees’ computers were already hacked before COVID-19 made the news, but were lying dormant behind firewalls, blocking their ability to go to work on behalf of the threat actors,” Lari Huttunen, Senior Analyst at Arctic Security said. “Now those zombies are outside firewalls, connected to their corporate networks via VPNs, which were not designed to prevent malicious communications.”

Continued Exploitation Post Pulse Secure VPN Patching

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), meanwhile, issued an alert warning that computers that were already hacked before COVID-19, specifically by exploiting the security vulnerability designated as CVE-2019-11510 runs the risk of continued exploitation even though a patch has been applied.

CVE-2019-11510 is a security vulnerability in affected Pulse Secure VPN versions that allows an unauthenticated remote attacker to send a specially crafted URI to perform an arbitrary file reading vulnerability. By exploiting this vulnerability, an attacker will be able to view files, including plain text cache of credentials for past Pulse Secure VPN users and information of the Pulse Secure VPN sessions that was used for authentication.

As a result of this arbitrary file reading vulnerability, an attacker can pretend to be a legitimate user and connect to the victim’s Pulse Secure VPN. The following are the affected Pulse Secure VPN versions that are vulnerable to the security vulnerability CVE-2019-11510:

– Pulse Connect Secure 9.0R1 – 9.0R3.3

– Pulse Connect Secure 8.3R1 – 8.3R7

– Pulse Connect Secure 8.2R1 – 8.2R12

– Pulse Connect Secure 8.1R1 – 8.1R15

– Pulse Policy Secure 9.0R1 – 9.0R3.1

– Pulse Policy Secure 5.4R1 – 5.4R7

– Pulse Policy Secure 5.3R1 – 5.3R12

– Pulse Policy Secure 5.2R1 – 5.2R12

– Pulse Policy Secure 5.1R1 – 5.1R15

According to CISA, threat actors who successfully exploited CVE-2019-11510 and as a result stole a victim organization’s Pulse Secure VPN credentials will still be able to access the organization’s network even after the organization has patched this vulnerability if said stolen VPN authentication credentials haven’t been changed. VPN vendor Pulse Secure released a patch for the security vulnerability CVE-2019-11510 in April last year.

CISA reported that threat actors are actively accessing victims’ networks using the stolen VPN authentication credentials and minimizing detection by using connection proxies such as Tor infrastructure and virtual private servers (VPSs). Once inside the victim’s network, CISA said, attackers create persistence through scheduled tasks/remote access trojans, gather files for exfiltration and execute ransomware on the victim’s network environment.

The U.S. Cybersecurity Agency added that one threat actor was observed successfully dropping ransomware at hospitals and U.S. Government entities and selling the stolen VPN credentials. The Agency also observed that threat actors used remote access tools such as LogMeIn and TeamViewer to maintain persistence in the victims’ networks in case they lost their primary connection, that is, via stolen VPN authentication credentials

Mitigating Measures Against Network Compromise

While your organization doesn’t have much control over the computers used by remote workers, at your end, the following can be implemented as mitigating measures against network compromise:

• Implement network segmentation. In network segmentation, one’s network is divided into sub-networks to ensure that in case one sub-network is compromised, the others won’t be affected.
• Patch your systems proactively. Patches for critical security vulnerabilities such as vulnerability CVE-2019-11510 should be applied in a timely manner as threat actors are quick in exploiting known critical security vulnerabilities.
• Regularly change passwords. This ensures that in case of previous compromise resulting in stolen authentication credentials, the ensuing change of credentials will block malicious actors.
• Use multi-factor authentication. This blocks login attempts using stolen authentication credentials.

Post-Compromise Detection

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends the following measures in case of an initial compromise via CVE-2019-11510:

• Turn on unauthenticated log requests of Pulse Secure VPN, check logs for exploit attempts, and manually review logs for unauthorized sessions and exploit attempts.
• Look for unauthorized applications and scheduled tasks
• Remove any remote access programs not approved by your organization
• Remove any remote access trojans (programs that pretend to be legitimate software)

While we are in the same boat fighting the pandemic, now more than ever your network and remote communications technologies are so much more critical to your success.

Over the past several months we have helped hundreds of small and medium business across Canada take the pressure off their operations making sure that their systems are available 24/7 and well protected against cybercriminals and network compromises.

Looking for help? Call us today at (416) 920-3000 or email sales@genx.ca