Suddenly cybersecurity teams have to adjust to the reality of a nearly 100% remote workforce. Security best practices often take a back seat to business continuity in strange times like these. Teams that previously managed a primarily in-house workforce might not be prepared to combat new threats from a workplace without defined borders.
Our incident response team helps customers respond to security incidents every day. But over the past couple of weeks, they’ve seen the pattern of attacks and alerts change as workers move to VPN connections and rely on cloud-based apps and data. To help you get a feel for what they see in the field, we compiled a list of the top five remote work threats our team has encountered since the start of the COVID-19 pandemic.
1. VPN Brute-Force
With so many people now working from home, attackers now have a greater surface area to pull off a brute force attack through the VPN. ZDNet reports a 33% increase in enterprise VPN connections over the past two weeks, which means attackers now have over a million brand new targets to exploit that came online since the beginning of 2020.
Brute-force attacks make up ~45% of the Varonis IR team’s investigations, and most of those are VPN or Active Directory authentication attacks. We have seen organizations disable the built-in lockouts and other restrictions on VPN connectivity to maintain business continuity or reduce overhead on IT, which means this attack is a more viable option for infiltrations.
Attackers pull off a VPN brute-force attack by targeting a VPN portal and blasting it with many authentication attempts using pre-gathered lists of credentials. This attack is commonly called “credential stuffing.” If any one of those username/password combinations works, the attacker gains a foothold.
Not only that, if the target uses Single Sign-On (SSO), that attacker also has a valid domain login. Very quickly, the attacker has infiltrated the network, can start reconnaissance using the domain login, and attempt privilege escalations.
How Varonis Helps
Varonis has a variety of built-in threat models to detect abnormal authentication behavior (credential stuffing, password spraying, brute force) on your VPN or Active Directory. You’ll notice that our threat models consider more than one source – VPN activity is enriched and analyzed with information we gather from Active Directory, web proxies, and data stores like SharePoint or OneDrive.
You can also get a quick look at context-rich VPN activity (not raw logs) with a library of saved searches which can be used for reporting or threat hunting:
Hundreds of failed login attempts from the same IP address and or device can be a dead giveaway of a brute force attack, but even if the attackers go low and slow, Varonis can subtle deviations by combining perimeter telemetry, Active Directory activity, and data access and modeling it against a user or device’s behavior baseline.
2. Command and Control via Phishing
Another threat we have seen adapted for the pandemic is an old favorite: phishing. Attackers are preying on fear during the pandemic to trick users into clicking malicious links and downloading malware. It’s truly evil.
Attackers have built COVID-19 maps and created websites that “sell” medical gear or discuss miracle cures that instead deploy malware payloads to your computer. Some of these scams are blatant – like charging $500 for an N-95 mask, but others are designed to attack your computer and all the data you can access. As you click those malicious links, the attacker’s payload gets downloaded and the attacker establishes a connection to their command and control (C2) server. Then they begin reconnaissance and privilege escalation to find and steal your sensitive data.
How Varonis Helps
Varonis can detect network behavior that resembles command and control—not just by looking for connections to known malicious IP addresses or domains—by performing deep inspection of DNS and web proxy traffic to detect malware that disguises communication in HTTP or DNS traffic.
In addition to detecting the presence of malware and its communication back to a C2 server, Varonis’ data-centric threat models often catch a compromised user based on deviations in file or email access. Varonis does that by monitoring file activity and perimeter telemetry, enriching all of that monitored data to create user-specific baselines, and then comparing current activity to those baselines and an ever-growing catalog of threat models.
3. Malicious Azure Apps
This attack vector is relatively new and was first discussed on the Varonis blog this month. You should read the full article for the details, as I’m going to give you the TL;DR version here.
Microsoft reported a 775% increase in Azure tenants over the past month. This means that some of you are just now spinning up Azure environments for your remote workers, and some more of you are in business continuity mode and pushing out new functionality quickly. Maybe both are true.
Make sure you can see which apps your users are consenting to and schedule routine reviews of approved apps so you can revoke anything that could be risky.
Attackers have discovered that they can include malicious Azure apps in phishing campaigns, and as soon as the user clicks to install the app, the attacker has infiltrated your network.
How Varonis Helps
Varonis can track Azure App consent requests to detect signs of this attack from the very start. Additionally, because Varonis is capturing, analyzing, and profiling all events in Office 365 for each entity, once a malicious app begins to impersonate the user—sending emails and downloading files—our behavior-based threat models will trigger.
4. Bypass of Multi-Factor Authentication
Another threat to the remote workforce is a man-in-the-middle attack. Your newly remote team might not be used to the basic workflows in Office 365, so they are susceptible to fake Office 365 login screens. Attackers use these fake login screens to steal credentials and authentication tokens, which is all they need to impersonate that user and login from their own system. Compounding this threat, your new remote workers might be using insecure Wi-Fi routers at their homes, which local attackers can hack easily.
We demonstrated this attack in our second Cyberattack Workshop, and you can watch the replay here. In short, an attacker intercepts the authentication token the server sends back to you, and then uses that token to log in from their computer. Once the attackers gain access, they can use malware to start up a C2 attack, try to infect other users with malware, or go straight to reconnaissance to look for sensitive data to steal.
How Varonis Helps
Varonis can detect simultaneous logins from different locations and logins that don’t match the user’s previous activity patterns, which are a dead giveaway that there are shenanigans afoot. And just like before, Varonis is monitoring your data for any abnormal access, which attackers generate just by existing inside your network.
5. Insider Threats
This is a time of great uncertainty for everyone. Humans are gripping the proverbial clubs a little tighter, and that fear and uncertainty makes them behave differently than they usually do.
Users that are scared of the future might download their work files to an unsecured computer, either for fear of losing their job or fear of not being able to perform their job functions optimally. Probably both. This presents a challenge to cybersecurity and IT teams charged with keeping that data secure.
Insider threats can be particularly hard to catch when an employee is using a personal device to access sensitive data because the device doesn’t have corporate security controls, like DLP, for example, which might normally catch an insider exfiltrating that data.
How Varonis Helps
Varonis can help detect insider threats by first identifying where sensitive data lives throughout an organization and then learning how users typically interact with that data. Varonis baselines user’s data access behaviors over time, and monitors file activity and enriches that with VPN, DNS, and proxy data. This way, Varonis can detect when a user downloads a large amount of data over the network, or accesses sensitive data they never did before and can provide a full audit trail of the files the user accessed.
More often than not, employees don’t have malicious intent. Nevertheless, it’s important for an organization to understand where their sensitive data might be at risk as insider threats do happen. Having the visibility to be able to address the behavior directly with employees is a way to both mitigate risk and discuss issues with employees head-on.
Varonis is here to help. Our Incident Response team will help you investigate anything that looks suspicious and can even help you recover from an attack. We’re also offering free eval licenses to people who need them. Request a contact on our COVID-19 Response page, and we will get you set up.
You can probably tell that we don’t rely on single layers of protection here at Varonis. We advocate for multiple layers of redundant capabilities built-in a web-like configuration. Our IR team can help you incorporate Varonis in your current cybersecurity strategy or make recommendations on other systems you might want to invest into to build out your protections.
These are unprecedented circumstances in my lifetime, and I’m a Gen Xer, so I know most of my peers are in the same situation. Please be kind to each other. We’re all in this together.
Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.