The dramatic and fast spread of the coronavirus has forced companies to take urgent steps to protect their offices and their employees from exposure. As such, many organizations are asking or requiring their staffers to work at home to avoid contact with others. But this quick transition is prompting cybercriminals to target the people and tools required to work remotely. Released on Wednesday, Radware’s report Coronavirus: Security Recommendations For Remote Access Threats explains how to safeguard your organization against remote access threats.
One attack vector discussed by Radware is a distributed denial-of-service (DDoS). These types of attacks send malicious traffic to targeted machines in an attempt to overload them. In doing so, the servers that your workers need to access then slow down or become unavailable.
A more specific kind of DDoS attack can affect remote workers using virtual private network (VPN) tools. Most VPN tools use Secure Socket Layer (SSL) or Transport Layer Security (TLS) to encrypt and secure any information sent back and forth. Hackers can send malicious data to the SSL server or otherwise exploit the SSL process, thereby taking down the service.
To protect yourself against DDoS attacks, Radware recommends using a hybrid DDoS solution that combines cloud-based DDoS services and on-premise protection. The on-premise detection can prevent any type of disruption from application and protocol specific attacks. The cloud-based services can provide automatic diversion to the cloud if the attacks continue to grow.
Remote workers rely on VPNs to gain secure access to an employer’s network. But VPNs have increasingly become a tempting target for cybercriminals using advanced persistent threats (APT). Last year, flaws were discovered in VPN tools from Palo Alto Networks, Fortinet, and Pulse Secure that would let remote attackers take control of an affected system and gain access to an organization’s network.
In response, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre (NCSC) advised organizations to review and update their VPN solutions:
- Palo Alto Network Security Advisory PAN-SA-2019-0020, in relation to CVE-2019-1579.
- FortiGuard Security Advisories FG-IR-18-389, in relation to CVE-2018-13382; FG-IR-18-388 in relation to CVE-2018-13383; and FG-IR-18-384, in relation to CVE-2018-13379.
- Pulse Secure Security Advisory SA44101, in relation to CVE-2019-11510, CVE-2019-11508, CVE-2019-11540, CVE-2019-11543, CVE-2019-11541, CVE-2019-11542, CVE-2019-11539, CVE-2019-11538, CVE-2019-11509, and CVE-2019-11507.
To protect yourself against VPN vulnerabilities, Radware suggests the following steps:
- Update VPNs, network infrastructure devices, and devices being used to work remotely with the latest software patches.
- Implement multi-factor authentication (MFA) on all VPN connections to increase security. If MFA is not implemented, require teleworkers to use strong passwords and not reuse passwords for other purposes or sites.
- Reset credentials associated with potentially affected VPNs.
- Implement granular access controls in VPN solutions to limit the access based on user profiles.
- Ensure and enforce the security posture of client devices before allowing access to internal resources.
Remote desktop tools may also play a role for off-site workers as they allow them to remotely access and control a workstation or server. Discovered last year, Bluekeep is a vulnerability in Microsoft’s Remote Desktop Services that could allow attackers to remotely execute code. The flaw affects Windows Server 2003, 2008, and 2008 R2, as well as Windows 7, XP, and Vista but not Windows 8 or Windows 10. Microsoft issued a patch for the bug, which it included as part of its automated Windows Update last May. But there are likely some organizations that have not yet installed it.
To protect yourself against Bluekeep, make sure that all affected versions of Windows have downloaded the latest updates. You can also manually download and install the Bluekeep patch from Microsoft’s Update Catalog.
Remote Desktop Protocol Attacks
Remote access to an organization’s critical computers and servers is highly prized by cybercriminals and hackers. One way of gaining that access is through a user account that has remote desktop privileges. To do that, criminals often apply brute force attacks to try to obtain the credentials of a privileged account. Though less than 1% of such attacks are successful, they can last for two to three days, according to Radware.
To protect against RDP account takeovers, Microsoft advises system administrators to combine and monitor the following multiple signals to detect RDP inbound Brute Force traffic on their servers:
- Hour of day and day of week of failed sign-in and RDP connections
- Timing of successful sign-in following failed attempts
- Event ID 4625 login type (filtered to network and remote interactive)
- Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
- Cumulative count of distinct usernames that failed to sign in without success
- Count (and cumulative count) of failed sign-ins
- Count (and cumulative count) of RDP inbound external IP
- Count of other machines having RDP inbound connections from one or more of the same IP
With more people working from home, cybercriminals are ramping up phishing campaigns designed to trick them into sharing passwords, financial information, and other sensitive data. Many of the latest phishing emails promise important details on the coronavirus to get people to click on malicious links or open malicious file attachments.
To defend your organization and employees against phishing attacks, Radware offers the following advice:
Stay current with anti-malware and phishing products and inform employees about the dangers of opening attachments or clicking links in emails from untrusted sources. While most organizations already implement a general awareness program for phishing, it does not hurt to inform employees about an expected increase in phishing attempts promising information on COVID-19.