Security Operations Threat Analysis
As we are all aware many organisations have adopted working from home in response to the Covid 19 lockdowns. In most cases, it is the first time where an entire workplace is shifted to a remote environment. This means there will be a sudden change in the network topology which increases the attack ratio for the cyber criminals to exploit.
The main priorities for the defenders are not just the office security threat, we at CommSec help customers every day for security incidents. In our daily monitoring over the past couple of weeks, we have observed alerts and attack patterns rise due to remote workers connected to VPNs, relying on cloud-based applications and data.
Here are some of the remote work threats we have seen in recent weeks:
1. Brute-force VPN
We have noticed increased attacks on VPN portals, where the attackers try numerous attempts with their pre-configured credentials.
To defend from the delivery and reconnaissance attack, it is important to inspect VPN logs and make sure login activity attempts or services are accessed by the legitimate users. It is crucial to protect and monitor VPN ports such as TCP/UDP 443 (SSL VPN/SSTP), UDP 500/4500 (IPSEC VPN), 1194 (OpenVPN).
During this time of uncertainty this is one of the expected scenarios. Users working in a company under a firewall is very different to working remotely in a different network topology. There are many reasons for an insider threat which includes misconfiguration of the device, lack of user awareness, usage of applications that are often targeted by attackers like Zoom, Citrix and Google Suite and using different file sharing platforms.
This can be minimised by reducing human errors. A simple point of advice is to make sure each user is wary of the attachments they are downloading. They should always verify any link is legitimate before clicking on it. User awareness is the key component to stop attackers entering your network. Furthermore, the security team should keep an eye on configuration changes and always patch vulnerable applications.
3. Application exploitation
Web application abuse seems to be one of the treasure trails for an attacker. They are trying every possible attempt for application exploitation considering a HTTP request smuggling, clickjacking attack and breaking cipher suits. Not only this, but we have also observed plenty of Mirai Botnet attempts to the server. Mirai is a malicious program whose key component module is to replicate and attack. The infected devices are controlled through a central set of command and control (C&C) servers. These servers then tell the infected device which site to affect next.
To defend this exploitation, make sure any unwanted ports are closed and apply a proper filtration policy for legitimate traffic flow. Fix vulnerabilities by applying patches wherever it is necessary and keep systems updated.
Zeel Jani is SOC Analyst with CommSec