Last week’s news agenda in the field of information security confidently moved from the field of conditional “computer viruses” to real, transmitted by airborne droplets. Employees of many companies that are able to perform their work remotely are now connected with colleagues and office infrastructure in a purely nominal way. This is not easy to say that the transition goes smoothly, although a lot of tasks can always be performed not at the workplace, but from anywhere in the world with a more or less reliable Internet.

Last week, Threatpost collected feedback from security professionals about the risks of the remote work. The main thing: IT-specialists in conditions of mass work of employees from home have much less control over the infrastructure. The concept of the “perimeter of the corporate network”, and before that was rather arbitrary due to the massive use of cloud services, has become completely illusive. In the best case, your colleagues will work from a corporate laptop, with security policies and security software, connecting via VPN. But the option of using a home PC, smartphone, tablet with Wi-Fi network connection with incomprehensible protection is not ruled out.

Naturally, cybercriminals are trying to take advantage of the situation, and it is complicated by the fact that at home, colleagues will be guaranteed to be distracted – by household chores, by children who do not go to school, and so on. At the same time, the work becomes not less, but more, and the chances of not recognizing a phishing message are noticeably increased.

To these problems are added purely technical issues of maintaining infrastructure. If the company has implemented cloud services, the transition to remote work will be almost seamless. And if for some reason you need access to local services? Do all employees have the necessary rights? Are they trained in access to the system? Will a VPN server withstand a large number of simultaneous connections if it was designed only for travel? There is no time for educational initiatives – you need to keep the equipment afloat.

A typical example of a cyberattack at the most inopportune moment occurred two weeks ago at the University of Otterbane in Ohio, USA. Directly in the process of transferring all students to distance learning, the organization was the victim of an attack by a ransomware. Details in the message are not given, but it can be assumed: in the worst case, it will be difficult to even contact a large number of people to notify them of the availability of infrastructure. Or even more serious: the forced replacement of passwords, which can no longer be carried out, simply by collecting everyone in the university premises.

Cybercriminals began exploiting the theme of coronavirus in spam mailings and phishing attacks in February: this is the case with any resonant event. For example, a campaign distributing the banking Trojan Emotet under the guise of “recommendations for protection against the virus”.

Another thematic attack was discovered by Check Point Research experts. A mailing list for government organizations in Mongolia with an attached RTF file exploited the vulnerability in Microsoft Word and installed a backdoor with a wide range of functions on the system. The organizers of the attack, previously seen in similar mailings in Russia and Belarus, received full control over the computers of the victims, arranged surveillance with regular screenshots and upload files to the command server.

And all this apart from the attacks “over the area”, for example, on behalf of the World Health Organization, with calls to either download a document or send a donation. WHO staff had to distribute a warning document about fraudsters who became especially active with the onset of the epidemic.

Let’s get back to corporate defense in the conditions of a total remote work. The Kaspersky Lab blog provides other examples of exploiting the coronavirus theme. Intrusive spam with phishing links or prepared attachments switched to the theme of coronavirus (“see information on delivery delays”). They sent targeted mailings supposedly from government agencies with the requirements of some urgent action.

The methods of counteracting such campaigns under quarantine have not changed, the possibilities for attack have expanded, exploiting both less secure home infrastructure and general nervousness.

What to do? First of all, keep calm and not give in to panic.

Use a VPN

Change the password for the home router, make sure that your Wi-Fi network is protected.
Use corporate collaboration tools: it often happens that a person is used to some other service for web conferencing, file sharing, and so on. This makes it even more difficult for the IT department to control events.
Finally, lock your computer when you leave your workplace. Not necessarily because a corporate spy will get into your home. And at least so that children do not accidentally answer an important conference call.

What else happened:

  • Adobe has released an extraordinary patch for its products covering 29 critical vulnerabilities, 22 of them in Adobe Photoshop. Another important recommendation for remote work (and not only for it) is to remember to install updates.
  • New horizons for the use of non-standard characters in domain names for phishing and other evil deeds. Summary of the post: ɢoogle and google are two different things.
  • A scientific study with the analysis of telemetry sent by popular browsers. Spoiler: Microsoft Edge receives the most statistics from users, including unique persistent identifiers.
  • Recently discovered vulnerabilities in Zyxel NAS devices exploit another botnet.
  • The story is in detail: how the researchers found (and Microsoft later successfully fixed) a serious error in the configuration of the Azure cloud service. Telemetry with access tokens was sent to a non-existent domain.