A major shift of the COVID-19 pandemic has been to move organisations firmly to remote working. This trend is likely to continue, as organisations realise that remote work is as productive as office-based work and employees see the benefits of reduced commuting times and flexible working.
This pandemic-induced shift is leading to significant remote working deployments, and this is an opportunity to implement good practices for remote access. Whilst many IT and cyber security projects are now not a priority, we recommend risks in this area are considered.
Our previous reporting on ransomware attacks during COVID-19 noted that common attack vectors include services used such as Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) technologies. These approaches are currently being favoured by ransomware groups to gain initial access to systems due to the ease of exploiting these vulnerabilities at scale.
Our research has also identified that some ransomware distributors conduct targeted operations, the majority are likely opportunity led, and select targets based on the availability of an access vector such as a successful phishing attempt or discovery of a vulnerable remote access appliance. Organisations who are new to mass deployment of remote working technology can find themselves at particular risk when rolling out the new solutions needed to keep business running during lockdown.
Organisations which have adopted new platforms or technologies to support remote working now need to understand the methods which these attackers are favouring and ensure that they have adequate situational awareness of their networks. We recommend that organisations update remote access systems, prioritise the removal of exposed access mechanisms and follow good practice for other forms of remote access.
Updating remote access
Remote access through Virtual Private Networks (VPNs) has always been a key part of most organisations’ IT infrastructure. Many organisations will have enabled remote access at scale, increasing the use of VPN technology. External support for IT infrastructure is now also likely to be remote, with VPN software being used for support without being a designed in feature of the system.
Recent reporting has shown that even companies which have patched a major flaw discovered last year in the Pulse Secure VPN service, may still be vulnerable, if they had not also reset other passwords. Last week the US Department of Homeland Security updated their warning about the exploitation of Pulse Secure VPN, even after patching. The department noted that attackers had gained access prior to the service being patched, and then used credentials that they had stolen in subsequent attacks meaning some businesses would still be vulnerable, even after updates were made.
According to an FBI Alert, in one incident, attackers deployed ransomware on US hospitals and [Federal] Government organisations using credentials which they had stolen months previously.
The vulnerability in PulseVPN allowed attackers to gain access to files which could then be used to gain access remotely to a system. This vulnerability was disclosed in 2019 and the service updated to fix it over a year ago, yet many companies are still running the vulnerable software with attackers regularly scanning the internet for vulnerable organisations. High-level research by our team using Shodan found around 2,500 PulseVPN endpoints in the UK, of which around 300 were being reported as vulnerable last year.
For this reason, it is critically important that as well as patching this specific flaw, companies that have detected that they were vulnerable also take steps to harden their defences. We recommend reviewing the security of other services, implementing specific monitoring and good practice for credentials, such as enforcing multi-factor authentication, automatically locking inactive accounts and ensuring that privileged accounts cannot directly login remotely.
Prioritise exposed access mechanisms
The rapid move to ‘remote first’ working has seen IT projects cancelled, budgets cut and upgrade plans put on hold. Attackers have adjusted their actions accordingly, targeting legacy systems that do not have the same security features as more up to date alternatives.
For example, we have seen instances of attackers targeting remote access mechanisms that do not support multi-factor authentication, where an additional factor is required in addition to credentials. In a recent incident managed by our team, attackers are gaining access to valid credentials through a phishing attack then using ActiveSync to access various mailboxes, as other e-mail access mechanisms were appropriately protected.
We recommend that even in the current circumstances projects to remove legacy remote access infrastructure are prioritised. Any mechanism by which attackers can repeatedly try credentials will be found and attacked eventually. Several of our clients have reported credential stuffing attacks in the last year, often against exposed Application Programming Interface (API) endpoints. These are not obvious to an end-user but are easy to find with simple technical tools.
Remote access good practice
Our team recommends the following good practices be applied to all forms of remote access across organisations.
- Establish a password policy based on best practices such as those from the National Cyber Security Centre which support ways in which people work and reduce the burden of remembering complex passwords.
- Use secure protocols wherever possible, ensuring that they both support the confidentiality of data in transit through encryption and that they support up to date authentication mechanisms other than simple usernames and passwords (e.g. certificates).
- Enable the security features of the systems you choose to use. This includes hardening specific services such as Remote Desktop, or layering services to enhance security (e.g. only allowing Remote Desktop over a more secure VPN).
- Complicate automated attacker activities by changing the default port numbers and banners for services. We do not recommend security through obscurity, however this can slow down attackers who are relying on opportunistic mechanisms to find victims.
- Use multi-factor authentication across all externally available services.
- Keep remote access appliances, software and other systems up to date with security patches and monitor vendor and threat intelligence reports for critical issues in your specific systems.
- Ensure that remote access systems have logging enabled, and that where possible logs are reviewed and suspicious events acted upon.
Our team is monitoring attacks on remote access systems as well as the development of ransomware. If you are experiencing issues in the deployment of similar systems or would like more information, please let us know.