Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 28 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Securing Your Remote Workforce

Detecting the Latest Cyberattacks in the Work-from-home (WFH) World 

by Joel
April 1, 2020
in Featured, Hacking, Malware, Phishing and Ransomware
COVID-19 MAP
Share on FacebookShare on Twitter

As mentioned in previous articles, Securonix, has devoted an entire taskforce to outlining key threats that are appearing under the guise of COVID-19 themed domain names or emails. The threat research team has been observing malicious threat actors attempting to exploit an increasing number of the associated cyberattack vectors such as: 

 

  1. Ransomware using weaponized COVID-19/coronavirus-related documents disrupting critical healthcare and other businesses’ operations; 
  2. Custom COVID-19 themed phishing attacks involving malicious documents to steal remote workforce credentials and infiltrate various organizations; 
  3. Malware using fake live coronavirus maps/tailored monitoring applications for malicious purposes, DNS hijackers changing important records; 
  4. Malicious and trojaned applications/.apks related to coronavirus exploiting remote workforce’s BYOD/Android devices; 
  5. Attacks exploiting remote access/VPN servers taking advantage of the worldwide increase in the number of remote users. 

Securonix’s Threat Research Team has been actively investigating and closely monitoring the cyberattacks and the current shift towards a remote workforce to help businesses improve the security of the remote users to increase the chances of detecting both current and future critical cyberattacks early in the changing environment. This is in order to minimise the likelihood of disruptions that will affect core business operations. 

In order to help businesses, Securonix has compiled a series of relevant details and recommendations to help enterprises manage the monitoring of a remote workforce, including some details about the cyberattacks observed and examples of threats in the wild in order to help security operations/SOC, IT operations, Insider threat teams, and Human resources.  

Most of the ransomware appearing seems to be a variant of the SNSLocker, propagated through a malicious COVID-19 situation report (sitrep) e-mail:  

COVID-19 Phishing Email

Figure 1: A fake COVID-19 Infection Phishing E-mail 

 

Once a user opens the document, this is immediately followed by the sensitive data being encrypted by the ransomware: 

 

Securonix threat research

Figure 2: Covid19/Coronavirus-themed Weaponized Excel Document Ransomware

 

We have also seen a rise in COVID-19 related credential stealing. These are often pushed through various e-mails, such as fake COVID-19 infection notification e-mail. If opened, the implant then downloads a second stage malware with multiple variants appearing within some of the logs observed shown in Figure 3. Once these have been installed on your device, they have the potential to perform malicious actions such as Stealing web browser cookies, enumerate system information and shares; Stealing cryptocurrency wallets; and Exfiltrating stolen information. 

 COVID-19 SCAM

Figure 3: Fake COVID-19 Infection Phishing E-mail – Initial weaponised doc exploit loading a malicious DLL

There are several recommended log/data sources to help security teams relevant cyberattack variants as part of remote workforce/WFH monitoring. Firstly, Securonix recommends using VPN server logs. In order to enable the proper visibility, enterprises should consider reviewing VPN policies to ensure that split-tunneling in order to achieve the highest level of visibility possible. Secondly, cloud application/Software-as-a-Service (SaaS) logs should be used by remote workforce users. Thirdly, single-sign-on (SSO) and 2FA/MFA logs should be used to limit unauthorised access. Finally, EDR/Remote workstation logs, Email gateway logs, CASB, and other logs can be used to maintain security. 

  

What are some of the priority use cases recommended?  

Some of the most important use cases recommended by Securonix include: 

  • Unusual severity event for your VPN server device; Account authentication from a rare geolocation; 
  • VPN connection from an anonymous proxy; 
  • Connection to a rare domain for a peer group followed by an executable download; 
  • Emails from typosquatted domain; 
  • Abnormal number of emails or data sent to a rare external recipient; 
  • Unusual VPN session length or data access 
  • Unusual sensitive data access increase for a user 

This abnormal time is difficult for security teams and individuals; however, this time will come to an end. In the meantime, we must all work together to ensure that the most sensitive data is protected at all times. This is an ongoing task; however, it is one that must be completed if we are to win the persistent battle against cybercriminals.  

FacebookTweetLinkedIn
Share1Tweet
Previous Post

A technical risk assessment of COVID-19

Next Post

Finalists Announced for 2020 European Cybersecurity Blogger Awards

Recent News

software security

Research reveals 80% of applications developed in EMEA contain security flaws

September 27, 2023
Cyber insurance

Half of organisations with cyber insurance implemented additional security measures to qualify for the policy or reduce its cost

September 27, 2023
Fraud and online banking

Akamai Research Finds the Number of Cyberattacks on European Financial Services More Than Doubled in 2023

September 27, 2023
ICS Reconnaissance Attacks – Introduction to Exploiting Modbus

ICS Reconnaissance Attacks – Introduction to Exploiting Modbus

September 27, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information