Quote:

Heimdal™ Security Internal Data Reveals Spike in Malicious Connections following Remote Work Exodus

Heimdal™ Security’s Incident Response and Research team have recently uncovered evidence of what could be a potentially dangerous campaign directed at employees working from home. With many cities under lockdown due to the COVID-19 pandemic, companies were mandated to allow the employees to work from home, in a bid to stop the spread of the virus.

Since all major market players have adopted this preemptive, self-isolationistic, measure, the online traffic has increased exponentially, prompting ISPs to upgrade or redesign the existing data-transmission infrastructure. At the same time, online-based applications and tools have had various technical difficulties ensuring information integrity.

The digital landscape is more vulnerable than able to cyber-aggressions, a fact proven by Heimdal Security’s data.

Overview

According to Heimdal™ Security’s internal data, malicious actors have changed their focus, targeting employees who took remote work. The numbers are consistent all across the board, regardless of the machine’s status (company-issued device or BYOD).

Furthermore, the data gathered in the last 30 days confirms that the users are more inclined to access malicious websites while taking up remote work compared to working from a company-designated location.

The forensic analysis revealed that although the number of infections and malicious connections is exponentially higher during regular work hours (09:00 – 18:00), they tend to remain unchanged even during off-hours. One plausible explanation may be that the employee will make use of the same machine during off-hours for non-work-related purposes, hence the increased numbers of positive detections.

Preliminary data shows that the most positive AV detections occurred around 7:00 AM. In regards to malicious connections to C&C servers, a spike has occurred at around 13:00.

In-depth analysis

According to Heimdal Security’s pooled data, the malicious penetrations attempts begin at around zero hours (24:00) –infections detected and eliminated stack up to 142. At around the same time, 34,2494 malicious connections have been discovered. No information available on what files have been accessed or attempts to establish a foothold in the machine via ‘shadow processes’.

An overview of the newly-discovered remote work malicious campaign reveals that between work hours, 652,509 infections have been identified, compared to 609,797 off-hours infections. The phenomenon’s amplitude has been registered at 07:00 AM for infection (742 positive results) and at 13:00 for blocked malicious connections (71,460 hit count).

In regards to the malware pathology, Heimdal Security’s internal data reveals that more than 80% of detected malware were trojans – adware, phishing, and rootkits account for the rest. Since the beginning of the campaign, not data exfil attempts have been registered.

Based on the behavioral analysis, the purpose of this malicious venture would be to probe defenses, both perimeter and VPN-based countermeasures, to determine the dissemination vectors required to conduct a full-scale incursion. Another aspect that can be inferred from the data is that the malicious actors may attempt to use the infected devices as ‘hopping points’ (lateral movement).

The lowest hit count for AV infections has been registered at 23:00 (approximately 77). For connections to malicious C&C servers, the lowest hit count was at around 03:00 AM – circa 30,000 per device. Hit count range compiled by analyzing the positive detection logs of hundreds of machines, across several geographical areas.

Heimdal Security is currently monitoring the situation to determine if there is a criminal infrastructure behind this attempt of compromising endpoints. However, given the rapidly-evolving COVID-19 pandemic and the subsequent remote work exodus, this is hard to be marked down as a coincidence.

At present, more than 5% of US adults (around 8 million) have taken up remote work since the beginning of the pandemic. Estimates reveal that Europe may be forced to bump the WFH percentage to 10% (around 25 million) given the current state of affairs. Online traffic has increased accordingly, with Vodafone and other ISPs reporting that the traffic has gone up by at least 50% within the last two months.

Based on the figures we have so far (both internal and those received via the official channels), it’s clear that malicious actors are seeking to compromise key systems; most likely for data exfil. The spike in Internet traffic provides cyber-criminals with the perfect means of absconding malicious packages.

Work from home cybersecurity recommendations

The COVID-19 took the entire world by surprise, forcing companies to either suspend any activity or move everything online. Truth be told, the existing IT infrastructure, whether we choose to view it from a company or ISP standpoint, was simply not designed to handle such loads. You may have already noticed that OTA apps we took for granted (i.e. WhatsApp for business, Skype, Microsoft Teams) have reached the proverbial breaking point.

Still, we must lose track of the fact that cyber-criminals are always on the lookout for vulnerabilities and will act if given the opportunity. Working from home doesn’t mean you should forget about cybersecurity hygiene. The case at hand proves that malicious actors are on the prowl, and we should take all the necessary precautions to ensure that we safeguard the company’s assets, as well as our data. Below, you will find a comprehensive list of security measures you should start using as soon as possible.
...