Information Technology

US healthcare providers, already under pressure from the COVID-19 pandemic, have been put on high alert over Trickbot malware and ransomware targeting the sector.   
The warning over an “imminent cybercrime threat to US hospitals and healthcare providers” comes from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services. 

The US healthcare sector is under threat from infection by Trickbot, one of the largest botnets in the world, against which Microsoft took US legal action earlier this month in an effort to gain control of its servers. Within a day of the seizure, Trickbot command-and-control servers and domains were replaced with new infrastructure. 
CISA flagged Anchor_DNS, a backdoor created by the eastern European hackers behind the multifunctional Trickbot malware. 
Trickbot emerged in 2016 as a banking trojan but evolved into a multi-purpose malware downloader that infected systems that were sold on to other criminal groups as a service. It was originally known as banking malware but has since been used to distribute malware that steals credentials, email, point-of-sale data, and spread file-encrypting ransomware such as Ryuk.  
Trickbot infected more than a million computers, according to Microsoft and its partners at Symantec, ESET, FS-ISAC, and Lumen.  
The US agencies warned the healthcare sector about Trickbot on Wednesday following a tip-off received by security firm Hold Security, according to krebsonsecurity.com. 
The company’s CEO Alex Holden said he saw the Ryuk ransomware group – a ruthless gang known for leaking the data of targets before encrypting their files – discussing plans to deploy the ransomware at over 400 US healthcare facilities.  
“As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling,” CISA said in the alert. 
DNS tunneling exploits the system that maps human-readable website names like google.com to the numeric internet protocol (IP) system that guides browsers to websites. 
The Anchor_DNS backdoor forces infected PCs to communicate with command-and-control servers over DNS to bypass network defense products and hide malicious communications with legitimate DNS traffic. 
“Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic,” CISA notes. 
Security firm Mandiant today released a set of indicators of compromise that suggest an infection by Ryuk ransomware. It refers to the group as UNC1878. 
Reuters reports that the FBI is investigating recent attacks against healthcare providers in Oregon, California and New York, with one facility reduced to paper processes for patient medical results. 
The US government has warned hospitals to back up systems, to disconnect systems from the internet where possible, and avoid using personal email accounts, according to Reuters. 
CISA has now listed several indicators of compromise that security teams should look for.  
It notes that the Trickbot malware for Windows copies itself as an executable file with a 12-character (includes .exe), randomly generated filename –  for example, mfjdieks.exe – and places this file the directories, C:Windows, C:WindowsSysWOW64, and C:Users[Username]AppDataRoaming. 
The UK’s National Cyber Security Center in June warned British businesses about Ryuk ransomware attacks. 
Ryuk often use commercial off-the-shelf products – such as Cobalt Strike and PowerShell Empire – to steal credentials, according to CISA. 
Earlier this month, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) warned Australian organizations about Emotet malware, which is used in conjunction with Trickbot.  
“Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot,” the ACSC wrote in its alert. More

Microsoft says it has thwarted a series of cyberattacks by Iranian hacking group Phosphorus targeting attendees to two high-profile international conferences.

Microsoft’s Threat Intelligence Information Center (MSITC) says it’s detected and intercepted attempts by the nation-state group to harvest credentials of more than 100 “high-profile individuals” thought to be attending the upcoming Munich Security Conference, as well as the Think 20 (T20) Summit in Saudi Arabia.
According to Microsoft, the group posed as event organizers and sent spoofed invitations to the victims via email, with the intention of fooling them into giving up information.
SEE: Network security policy (TechRepublic Premium)
The emails were written in “near-perfect English” and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations, Microsoft said.
It’s unclear whether any compromising information was given up to the group, although Microsoft said that event organizers had been made aware of the hacking attempt, who had in turn warned attendees.

Flow of a typical Phosphorus attack in the campaign targeting conference attendees.
Image: Microsoft
“We believe Phosphorus is engaging in these attacks for intelligence-collection purposes. The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries,” said Microsoft.
“We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain.”
Microsoft has shared the indicators of compromise (IOCs) observed during these activities, to help IT teams to identify earlier campaigns and protect again future ones – see below.
INDICATOR  
TYPE  
DESCRIPTION  
t20saudiarabia[@]outlook.sa 
Email
Masquerading as the organizer of the Think 20 (T20) conference
t20saudiarabia[@]hotmail.com  
Email
Masquerading as the organizer of the Think 20 (T20) conference
t20saudiarabia[@]gmail.com 
Email
Masquerading as the organizer of the Think 20 (T20) conference
munichconference[@]outlook.com  
Email
Masquerading as the organizer of the Munich Security Conference
munichconference[@]outlook.de  
Email
Masquerading as the organizer of the Munich Security Conference
munichconference1962[@]gmail.com 
Email
Masquerading as the organizer of the Munich Security Conference
de-ma[.]online
Domain
Domain used for credential harvesting
g20saudi.000webhostapp[.]com
Subdomain
Subdomain used for credential harvesting
ksat20.000webhostapp[.]com
Subdomain
Subdomain used for credential harvesting
Basic IT security measures, like turning on multi-factor authentication and tightening email-forwarding rules, can help mitigate the dangers of phishing attacks and other such data-harvesting attacks.
As Microsoft noted in its recent Digital Defense Report, nation-state groups frequently target think tanks, policy groups and other governmental and non-governmental organizations deemed to hold valuable information.
SEE: Adware found in 21 Android apps with more than 7 million downloads
While the activity doesn’t seem to be tied to the upcoming 2020 US presidential election, it wouldn’t be the first time Phosphorus has attempted to interfere with the race to the White House.
Microsoft first detected attempts to hack members of the 2020 US presidential campaign back in October 2019. More recently, the software giant uncovered a series of attempts by state-sponsored groups in Chinese, Iranian, and Russian to breach email accounts belonging to people associated with the Biden and Trump election campaigns.
“Based on current analysis, we do not believe this activity is tied to the US elections in any way,” Microsoft said. More

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) handed down its report [PDF] of Australia’s metadata retention scheme on Wednesday, issuing 22 recommendations that tighten access to data, without introducing any large overhauls, such as needing a warrant.
In broad terms, thresholds are recommended to be increased by the committee in an effort to avoid a warrant regime, security and transparency on data held and passed across by telcos and authorised agencies would be boosted, while the period of time Australian telcos need to retain data collected on customers remains at two years.
“The committee is not satisfied that a warrant should be required for data held as part of the [mandatory data retention regime]. However, the committee considers that access should require a higher level of authorisation within each agency as well as more detailed reporting in relation to how, when, and for what reason that access is granted,” the report said.
“It is the committee’s view that there is a need for more information to be collated about the current functioning of the matter data retention regime. This would assist all relevant oversight and review bodies in undertaking their work as well as affording a higher degree of transparency which the committee believes will give the Parliament and the Australian community greater trust in the use of these powers.”
One area to gain a recommended exemption from the committee is the use of Internet of Things devices, which is set to be specifically omitted.
“If the government considers that there are clear benefits in requiring service providers to keep information for particular Internet of Things devices, and that those benefits outweigh the costs, the Telecommunication (Interception and Access) Act 1979 could be further amended to impose clear and specific requirements on providers to retain that information,” the report said.
The committee said it was “disconcerting” that there were thousands of authorised officers around the country that could approve access to retained data, and instead put forward reducing it only to officers in a “supervisory role in the functional command chain” as well as individuals with a specific appointment.
“The indiscriminate authorisation of entire classes/ranks of officers as ‘authorised officers’ is, in the committee’s view, inappropriate,” it said.
The committee also recommended cutting out the loopholes that have allowed agencies that are not deemed as enforcement agencies to use other powers in order to gain access to metadata. The Attorney-General’s Department was previously advising agencies to skirt the restrictions on metadata access.
“The committee has considerable concern around the use of section 313(3) and 280(1)(b) of the Telecommunications Act to allow for access to metadata,” the report said.
With 87 agencies found to be skirting the restrictions, the committee asked those agencies to tell it why they should be able to continue to do so.
“There were very few submitters that took this opportunity up. Those that did were unable to convince the committee of the need for this broad access to telecommunications data,” the report said.
“The committee is concerned to build on and retain confidence in the data retention regime and concludes that the number and type of agencies that can access a person’s telecommunications data via section 280 (1) (b) of the Telecommunications Act may undermine the social licence for ASIO and law enforcement agencies to access the information.”
Home Affairs was also called out for failing to assist the committee in finding a way to amend this particular section to remove the loophole.
In seeking to tighten access, the committee recommended the binning of provisions that allow an officer to “authorise the disclosure of historic telecommunications data if he or she is satisfied that the disclosure is reasonably necessary to find a missing person, or for the enforcement of the criminal law or any law imposing a pecuniary penalty (including, for example, a parking infringement)”. Instead, it wants access kept to voluntary disclosure, locating a missing person, or the investigation of a serious offence or an offence with a penalty of at least three years’ imprisonment.
The committee said the definition of serious offence could be found in the Telecommunications Interception Act, and that access for “pecuniary penalties or protection of the public revenue” be repealed.
“Access to existing information and documents granted for ‘enforcement of the criminal law’ (section 178) is drafted broadly and is subject to no limitations,” the report stated.
Despite concerns that location data kept is extremely private, the committee did not recommend for it not to be retained. Similarly, the committee said there are no “specific concerns” over agencies receiving URLs from telcos, but it did recommend an amendment for if such data is received, and the agency does not use it, and informs oversight agencies before destroying it with approval.
On the issue of oversight, PJCIS said it was difficult due to a lack of data about the operation of the scheme, and said it would be better if the Department of Home Affairs could create a report from each agency with access.
“This could be achieved by each agency adhering to an agreed format and method of recording prescribed information, which could be provided to Home Affairs, an oversight agency or a parliamentary committee on request for aggregation into a report,” the report said before the committee went meta and put forward the idea of a database to help oversee the scheme.
“If it were deemed to be more cost effective, a national database created and managed by Home Affairs could also be an option albeit this would require consideration regarding privacy, security and rules for access. Ideally, data entered as part of the request for authorisation could be recorded in the agreed fields to reduce duplication of effort,” the report said.
Similarly, the report also recommended telcos keep “detailed records of the kinds of information included in each disclosure”, which it also said would go some way to alleviating concerns over browsing histories being passed across by telcos.
The report also called for Home Affairs to develop national guidelines on how the regime would operate within 18 months; that agencies keep received metadata long enough for oversight from either the Inspector-General of Intelligence and Security and Commonwealth Ombudsman to be performed before it is subsequently deleted when no longer needed; and state criminal law-enforcement agencies be made to notify of any data breach involving received metadata.
It was also recommended that Home Affairs clearly define “content or substance of a communication”.
“In defining the term ‘content or substance of a communication’, Home Affairs should specifically consider whether some information that is currently treated as telecommunications data should now be regarded as content given what that information can reveal about an individual,” it said.
The committee also called for the explicit requirement that metadata is stored on servers within Australia, whereas currently, it could be stored anywhere in the world — as well as requiring agencies and carriers to meet minimum security standards.
In additional comments from the Labor party, opposition members laid out the case for warrants to be introduced from an independent issuing authority.
“Labor members are concerned that the power to access telecommunications data without a warrant may be used — and is, in fact, currently being used — to access the telecommunications data of individuals who are not themselves suspected of any wrongdoing.”
Enforcement agencies should not be able to access metadata of those not suspected unless that person consents, consent cannot be gained to the person being injured or killed, or seeking consent from the person could compromise an investigation, the Labor members said.
If an enforcement agency thinks an innocent person’s metadata could assist an investigation and they do not provide consent, at that point, the agency would need a warrant.
“Labor members note that significant intrusions into privacy by law enforcement agencies, such as a search of a person’s home, opening a person’s mail, installing a listening device or obtaining a saliva sample, generally require agencies to obtain a person’s consent or a warrant from an independent issuing authority,” the additional comments from Labor said.
“Given that context, we consider our proposal to be both modest and sensible.”
PJCIS recommended that the committee conduct another review of the scheme by June 2025.
Related Coverage More

Advance persistent threat (APT) hacker groups are often assumed to be state-supported organisations such as China’s APT10 aka Stone Panda, Russia’s APT28 aka Fancy Bear, or Vietnam’s APT32 aka Ocean Lotus.
However, these and other groups are often identified and named by cyber intelligence firms with strong links to their national government. FireEye and Crowdstrike in the US, for example, to name just two.
Sometimes naming and shaming nations-states for their hacking is part of a deliberate diplomatic strategy.
But authoritarian regimes don’t generally admit weaknesses, and those attacking those regimes might not want to admit to being just as aggressive — though with different aims.
Related Coverage More

Shares of cloud-based security provider FireEye are up over 6% in late trading after the company this afternoon reported Q3 revenue and profit that topped analysts’ expectations and forecast this quarter’s revenue is higher as well. 

FireEye’s CEO, Kevin Mandia, said the company’s results showed how much progress the company has made “transforming our business.”
Revenue in the three months ended in September rose almost 6%, year over year, to $238.6 million, yielding EPS of 11 cents. Analysts had been modeling, on average, $228 million and 7 cents per share. 
For the current quarter, the company sees revenue in a range of $237 million to $241 million and EPS in a range of 9 cents to 11 cents. That is, again, higher than consensus on the revenue line, at $237 million, and in line with profit consensus of 10 cents per share.
With the forecast, the company’s full-year outlook for 2020 now stands at $930 million to $934 million, up from a forecast offered in July of $905 million to $925 million.
The company said its annualized recurring revenue reached an all-time high of $612 million, up 6%, year over year. 
Said Mandian, “We released our cloud-native Mandiant Advantage platform in October, making our intelligence and expertise easily accessible and actionable to any security organization, regardless of the security controls they deploy.” The company “also announced a collaboration with Microsoft to provide cybersecurity services based on Microsoft security products.” added Mandia.
“Both announcements reflect the technology-agnostic approach of Mandiant Solutions and allow us to expand our addressable market beyond the installed base of current FireEye customers.”
FireEye, founded sixteen years ago in the Silicon Valley town of Milpitas, California, began by offering an appliance product to detect Web site threats, running inside of a virtual machine. 
The company expanded into its current form with the 2013 acquisition of privately held Mandiant, an incident response and forensics firm founded by Mandia.
FireEye stock rose almost 6% in late trading, to $14.90. 

Tech Earnings More

While Zero Trust (ZT) security is mainstream in the US and Europe, it has only just begun gaining momentum in the Asia Pacific (APAC). Why now? The global pandemic has accelerated cloud migration and remote work at the same time that firms are grappling with rapidly changing regulations and mounting consumer pressure for improved data privacy. This combination of trends has pushed APAC leaders to take a fresh approach to security and accelerate ZT adoption. Now is the time to embrace ZT and learn lessons from global peers and others who have been on the journey. To that end, I collaborated with my colleague Chase Cunningham (who leads our ZT research globally) to align the local and global experiences on this very important topic.  

ZT Adoption Has Begun Accelerating In APAC 
Zero Trust is an architectural model that combines microperimeters and microsegmentation with other critical capabilities to more intelligently and strategically upscale an organization’s security posture. It increases data security through obfuscation, limits the risks associated with excessive user privileges, and uses analytics and automation to dramatically improve security detection and response. Forrester created ZT in 2009, and it has since become a dominant security model. In August 2020, the US National Institute of Standards and Technology released its standard for ZT architecture; the US federal government, including the Department of Defense, uses ZT as a key piece of its long-term security strategy. 
Firms and public sector entities across APAC are now exploring the benefits of ZT as their security architecture of choice: 
Firms in APAC are adopting ZT in a piecemeal fashion, without necessarily naming it. Chase and I interviewed dozens of CISOs around the region who are doing elements of the framework such as identity and access management and microsegmentation. Many acknowledged the guiding principles of ZT, such as, “never trust, always verify.” But full adoption and naming are still rare — not everyone is ready to take the plunge yet and embrace something different. 
CISOs in APAC see the business benefits, and vendors are coming to market to help with architectures. Thirty-seven percent of C-level security decision-makers in APAC view the complexity of their environment as a key challenge. ZT helps firms rationalize security investments and reduce complexity. CISOs are also increasingly leveraging the framework to align stakeholders on common principles and improve collaboration. And while the vendor community is often accused of overhyping, in this case, many are driving improved awareness and understanding of ZT benefits. 
But Regional Issues Impact Adoption 
CISOs in the region are at wildly different stages of adoption, ranging from “we are learning” to “ZT is a strategic priority, and we are implementing.” This disparity makes it difficult to set standard, region-wide adoption priorities, agree on a common lexicon, and share lessons learned. Some of the challenges CISOs in APAC have raised include: 
Relatively small security functions, with minimal influence within organizations. Twenty-nine percent of C-level security decision-makers in APAC say they struggle with visibility and influence, compared with only 13% in North America. Nineteen percent also cite a lack of security staff as a major challenge. Hence, even if APAC CISOs have the bandwidth to manage large scale implementations, they’re likely to struggle getting the support and budget needed to deliver. 
The “zero” in Zero Trust is jarring for many cultures that are founded on trust. The nomenclature was repeatedly raised to us as an obstacle for adoption since trust plays a significant role in many APAC cultures. Don’t balk at the nomenclature. Acknowledge the many valid concerns your organization and stakeholders have, but work to overcome them through education. Explain to them how Zero Trust actually builds customer trust in your organization by enhancing security. Create engaging ZT content and stay away from overly manufactured security presentations and tech-speak. Focus on impact and likelihood rather than fear, uncertainty, and doubt. Use techniques like gamification to communicate your message, and use messages such as “Trust Starts with Zero Trust.” 
Embrace Zero Trust And Address Your Own And Your Stakeholders’ Concerns 
Implementing ZT in the Asia Pacific requires more upfront planning than it does in other regions that began adopting it earlier and have many more pioneers to learn from. While no government in our region has yet adopted ZT as its cybersecurity agency’s framework, some, such as the Australian government’s Essential Eight, map to elements of the framework. So, start developing your ZT roadmap by assessing the maturity of your current ZT state, documenting where you can reuse existing capabilities, and setting goals for your future state. One of the things I’ve personally learned through this journey is that many organizations already possess key capabilities required for Zero Trust. It’s not as overwhelming as it sounds. And it’s time to act. 
Forrester predicts that in 2021, at least one government in the Asia Pacific will embrace a Zero Trust cybersecurity framework. For more APAC predictions, download our 2021 Predictions Guide. 
This post was written by Principal Analyst Jinan Budge, and it originally appeared here.  More

Zoom, the big winner from remote working during the COVID-19 pandemic, is rolling out end-to-end encryption for all video meetings on mobile and desktop devices after criticism that it used “substandard” encryption.
On Tuesday, Zoom announced that end-to-end encryption (E2EE) is immediately available for users on Windows, macOS, and Android. The iOS version of the Zoom app is still awaiting approval from Apple’s App Store review. It’s being rolled out as a “technical preview” for 30 days, during which time Zoom aims to gather customer feedback about their experience with E2EE.

More on privacy

The company flagged its plans to roll out its E2EE capabilities last week. The desktop version with E2EE support is 5.4.0.
SEE: COVID-19: A guide and checklist for restarting your business (TechRepublic Premium)
Zoom generates individual encryption keys that are used to encrypt voice and video calls between conference participants. The keys are stored on users’ devices and are not shared with Zoom servers, meaning the company can’t access or intercept the content of meetings.
Zoom’s E2EE uses 256-bit AES encryption in Galois/Counter Mode (GCM) to protect online meetings, the company said in a statement. 
“This has been a highly requested feature from our customers, and we’re excited to make this a reality,” said Zoom CISO Jason Lee. 
“Kudos to our encryption team who joined us from Keybase in May and developed this impressive security feature within just six months.”
Zoom nabbed Lee in June from his senior cybersecurity role at Salesforce, where he oversaw IT infrastructure, incident response, threat intel, identity and access management, and offensive security. Prior to that he worked at Microsoft as principal director of security engineering for the Windows and Devices division.
The company acquired encryption firm Keybase in May after it was criticized for claiming it used AES-256 encryption to secure video calls when it was actually using what security researchers labelled a “substandard” AES-128 key in Electronic Codebook (ECB) mode.
“In typical meetings, Zoom’s cloud meeting server generates encryption keys for every meeting and distributes them to meeting participants using Zoom clients as they join. With Zoom’s new E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants,” Zoom explained. 
“Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents. Encrypted data relayed through Zoom’s servers is indecipherable by Zoom, since Zoom’s servers do not have the necessary decryption key.”
SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)    
Zoom notes that enterprise account admins can enable E2EE in the web interface at the account, group, and user level. Additionally, once E2EE is enabled, the host can turn E2EE on or off for any given meeting.
However, phase one of Zoom’s roll-out lacks support for E2EE in a browser. Meeting participants need to join from the Zoom desktop client, mobile app, or Zoom Rooms for E2EE-enabled meetings, according to Zoom. 

Digital transformation More

The unique conditions of 2020 mean businesses are more reliant on being digitally connected than ever before. Cyber criminals know this, which is why ransomware attacks have become even more pervasive – and effective during the course of this year.
Hackers are breaking into networks of organisations ranging from tech companies to local governments and almost every other sector; encrypting servers, services and files with ransomware before demanding a bitcoin ransom that can be measured in hundreds of thousands or even millions of dollars.

More on privacy

Part of the reason for the upswing in successful ransomware attacks is the huge growth of remote working as a result of the pandemic.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
While employees and their PCs were once safely behind the office firewall, now they’re trying perched at a makeshift workstation in their kitchen or bedrooms, using all manner of cobbled-together technologies to get the job done.
“You have a much bigger attack surface; not necessarily because you have more employees, but because they’re all in different locations, operating from different networks, not working with the organisation’s perimeter network on multiple types of devices. The complexity of the attack surface grows dramatically,” says Shimon Oren, VP of research and deep learning at security company Deep Instinct.
For many employees, the pandemic could have been the first time that they’ve ever worked remotely. And being isolated from the corporate environment – a place where they might see or hear warnings over cybersecurity and staying safe online on a daily basis, as well as being able to directly ask for advice in person, makes it harder to make good decisions about security.
“That background noise of security is kind of gone and that makes it a lot harder and security teams have to do a lot more on messaging now. People working at home are more insular, they can’t lean over and ask ‘did you get a weird link?’ – you don’t have anyone do to that with, and you’re making choices yourself,” says Sherrod DeGrippo, senior director of threat research at Proofpoint.
“And the threat actors know it and love it. We’ve created a better environment for them,” she adds.
Remote working means a lot more of our daily workplace activity is being done over email and that’s providing hackers with a smoother pathway for infiltrating networks in the first place via phishing attacks.
It’s not hard for crooks to customise a phishing email to target employees of a particular organisation and direct them towards a link that requires their Microsoft Office 365 username and password, providing the attackers with initial entry into the network.
“We’re now working from behind residential internet infrastructure whereas before we were behind enterprise-grade infrastructure. Now we’re behind a cable modem that’s not only intended for residential use, but also you’ve got your kids on the same network, people streaming TV,” DeGrippo explains. “It’s a change and a mix from better secured and controlled environments to chaos with no control.”
Another WFH security issue; for some people, their work laptop might be their only computer, which means they’re using these devices for personal activities too like shopping, social media or watching shows. That means that that cyber criminals can launch phishing attacks against personal email addresses, which if opened on the right device, can provide access to a corporate network.
“In the past, if a threat actor wanted to compromise a corporate asset, they’d typically have to email people on their corporate email accounts. But now they can either target corporate emails or personal accounts – and there are going to be less controls on personal accounts,” says Charles Carmakal, SVP and CTO at security company FireEye Mandiant.
He said he had seen a number of attacks that started because somebody opened up an email from their personal account on their corporate computer. “The frequency seeing the personal email address as an attack target feels a little bit higher than it has been,” he says.
“If an attacker is able to phish you and get a backdoor installed on your computer, it may not be connected to your company all day everyday but you will connect at some point,” Carmakal explained.
Once an attacker has successfully compromised a home user, they’ll wait for the user to be connected to the corporate VPN and take it from there like they would if they’d connected to a machine inside the walls of an office.
The attacker will attempt to move laterally around the network, gain access to additional credentials and escalate privileges – preferably by gaining administrator level rights – to be able to deploy ransomware as far and wide across the network as possible.
And with employees spread out by remote working – and in many cases, working irregular hours to fit work around home responsibilities – it can be harder for information security teams to identify unusual or suspicious activity by intruders on the network. That’s especially the case if the information security team didn’t have previous experience of defending remote workers prior to this year.
“They can go undetected because it’s not a situation that organisations have prepared for in terms of their security posture,” says Oren. “So it becomes harder for the defenders and on the other hand there’s much more opportunity and more touch points for the attackers.”

While the rise in remote working has provided cyber criminals with a potential new route into compromising networks with ransomware, it is still possible for an organisation to move to remote work while also keeping its staff and servers protected from a cyberattack.
SEE: Network security policy (TechRepublic Premium)
Some of this comes from the human level, by training and engaging with staff, even while they’re WFH, so they know what to look for in a phishing email or other suspicious online activity. But it’s probably impossible – and unfair – to expect employees to carry the weight of defending the organisation from cyberattacks.
“A technical defence followed by a really well educated user base, who know what to do if they encounter something, if they seem unsafe, is the best way to go for most organisations,” says DeGrippo.
One of the reasons ransomware has become so successful is because many organisations don’t have offline backups of their data. Regularly backing up the network helps provide a fail-safe against ransomware attacks because it provides the ability to restore the network with relative ease without having to line the pockets of cyber criminals.
Multi-factor authentication is a must when it comes to helping to protect the network from cyberattacks, so if a user does fall victim to a phishing attack and gives away their password by accident – or if attackers simply manage to guess a weak password of an internet-facing port – a second layer of protection prevents them from easily being able to use that compromise as a gateway to the rest of the network.
If possible, it’s also useful to separate the network so that it isn’t flat throughout the entire structure of the organisation, something that doesn’t have any real negative impact on the business, but can go a long way to making it harder for cyber criminals to move around the place if they get in. In the worst case scenario, that means if there is a successful ransomware attack, it can be restricted to a small part of the network.
“If you minimize the ability to move laterally across the network by instigating network segmentation it’ll slow down the spread of ransomware,” said Carmakal. “This is all security basics, but we find a lot of companies still struggle with the basics.”
Regularly applying security patches can also prevent ransomware attacks from being effective as it means they’re unable to take advantage of known vulnerabilities to spread around networks.
However, while ransomware remains a large problem for organisations, with cyber attackers getting more ingenious with their schemes and demanding higher ransoms, the battle isn’t lost.
Other kinds of cyberattacks – that have previously been the flavour of the month for cyber criminals – have successfully been countered, so it isn’t impossible that ransomware could go the same way if organisations – be they on premises, remote, or a mixture of the two – follow the correct security protocols.
SEE: Ransomware: 11 steps you should take to protect against disaster
“I don’t think that it’s all bleak; we’ve seen a significant reduction in software vulnerabilities over the past two or three years. Browser vulnerabilities are almost non-existent and much of that resulted in the reduction of the exploit kit landscape – exploit kits today are quite rare,” says DeGrippo.
“Continuing to fight this fight could go the same way. If we continue to work on the problem, eventually it won’t be as lucrative,” she adds.
The reason ransomware remains lucrative is because victims pay the ransom, opting to do so because they perceive it as the best way to restore the network. But paying the ransom means attacks will just continue.
“Never ever recommend paying the ransom. I understand the considerations behind doing it, but I’d never say it should be done because it’s very obvious that it perpetuates that kind of attack,” says Oren.

MORE ON CYBERSECURITY More