Due to the global pandemic, nearly two-thirds of companies have moved half or more of their employees to telework. Sixty-two percent of employed Americans, for example, say they have worked from home during the crisis, with the number of remote employees doubling between March 13 and April 2 of 2020. This is not just a temporary change because nearly a third of all organizations expect more than 50% of their current remote workers will continue working from home after the pandemic.
The security implications of such a dramatic transition in such a short period of time cannot be overstated. Under normal circumstances, moving an entire workforce from secure IT environments to home networks with very little cybersecurity would take long-term planning and preparation. But that was not an option in 2020. As a result, 32% of respondents to Fortinet's Securing Remote Work Survey found that setting up and managing secure connectivity to be the most challenging aspect of switching to telework.
Part of the problem was that the devices at the company's core network were not designed to manage the volume of VPN connections required. As a result, many connections were not secure. But the other part of the challenge is that many home networks were not set up to support the bandwidth requirements of VPN, let alone bandwidth-hungry business applications such as videoconferencing. In addition, end-user devices (many workers began working from home using a personal device) were often unpatched and unsecured as were other devices connected to the home network. These challenges made home networks an ideal target for cyber criminals.
Read more, including online security risks and tips for remote working here.
The transition to the teleworking / remote working model opens users and companies up to myriad security threats including malware, all forms of phishing attacks, and many more. Ashco cyber security solutions and services addresses remote worker scenarios with three primary levels of connectivity. If you have technical questions or need assistance, contact us at firstname.lastname@example.org.
HTTP.Server.Authorization.Buffer.Overflow–CVE-2018-5955 indicates detection of an overly long HTTP Authorization value. HTTP servers that have insufficient sanitizing of HTTP requests field might be prone to such an attack. Successful attacks may allow a remote attacker to execute arbitrary code within the webserver, crash the affected application or deny services to legitimate users. Any unprotected or misconfigured HTTP server is vulnerable to the attack. FortiGuard Labs recommends you apply the appropriate patches or upgrade the system to the latest non-vulnerable version and monitor the traffic from that network for any suspicious activity.
North Korea's BeagleBoyz Robbing Banks – Recently, the United States Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI), and U.S. Cyber Command (USCYBERCOM) released a Joint Technical Alert that has attributed malicious cyber activity to the North Korean government. The Technical Alert provides a detailed analysis of the North Korean government's role in an automated teller machine (ATM) cash-out scheme-referred to by the U.S. government as "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks." "BeagleBoyz " is a newly identified group that is a subset of activity by the threat actors known as HIDDEN COBRA/LAZARUS/APT 38 and has been active since 2014. HIDDEN COBRA has been linked to multiple high-profile attacks that have caused massive infrastructure disruptions, as well as financially motivated attacks in various parts of the world. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that nearly netted close to $1 billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed in their attempt, they were still able to net around $81 million in total. The most recent - and most notable - attack attributed to HIDDEN COBRA was the WannaCry ransomware attack, which resulted in massive disruption and damage worldwide to numerous organizations, especially manufacturers. Various estimates on the impact are in the hundreds of millions of dollars, with some estimates claiming damages to be in the billions. Other verticals that this group has targeted include critical infrastructures, entertainment, finance, healthcare, and telecommunication sectors across multiple countries.
W32/Alreay.BG!tr W32/KeyLogger.BHFC!tr W32/Banker.ADRO!tr.spy
W32/Alreay.A!tr W32/Agent.0D36!tr W64/Agent.AP!tr W32/Generic!tr
W64/Banker.AX!tr.spy W32/Banker.ADRO!tr.bdr W64/Agent.AP!tr
Box Pages Utilized in Phishing Attack to Trick Victims: Security researchers have recently discovered a phishing attack that was conducted on the government and security organizations using a legitimate Box page with the branding of Microsoft 365 to manipulate their victims. This newly discovered credential harvesting phishing campaign has been luring the victims by sending them a legitimate Box webpage with Microsoft 365. The attack was conducted by sending phishing emails to the victims. The emails contain messages claiming it came from a third party and asks the victims to read a sensitive financial document. The delivery was made by the attacker so that the mail delivery would only last for 10 days. This would cause a sense of urgency in the victim and thus click the link immediately. After the victim has clicked the link, they will then be redirected to the page hosted in Box, containing another OneDrive document. After the victim has also clicked the OneDrive document, it will then redirect them to the final phishing landing page. They will see the Office 365 login portal and will be asked to log in with their corporate credentials. Once all the credentials have been added, and the victim clicks the submit button, all the credentials will then be sent to the attacker, and the attacker can access it anytime to view the victim's credentials. Thus, the victim is then compromised.
Our Research & Insights:
Whitepaper: Effective Cyber Security Strategies during the Covid-19 Pandemic
Whitepaper: The Essential Guide to Securing Remote Access
Secure Devops: Learn how to make security integral into your DevOps process.
E-Book: Effective Security Strategies for Devops & Application Services
E-Book: How to Build a Next Generation Security Operations Center