Access to Information, Duke University, and The Media Trust: December Update

The COVID-19 Pandemic has forced people all across the world to adapt to a new idea of normal. Since January of this year, schools and universities have adopted online courses, and entire nations have enacted travel restrictions to slow the spread of the virus. Chief among these changes, though, has been the labor force’s transition from working in an office to working from home. The remote work orders came with shocking abruptness, disrupting people’s routines and leaving them scrambling to create new ones. Amidst that scramble, and the push to maintain productivity under the circumstances that COVID-19 forced, new cyber threats began to emerge: threats that are tailored to prey on those working from home, and the ways in which they do so. In short, working from home has created the opportunity for threat actors to subject employees and corporations alike to new levels of online risk.

Working from home has tasked IT teams to create solutions for a collection of unique challenges. Those challenges break down into two distinct categories: challenges with devices, and challenges with networks. In the past, corporations would provide and manage the devices that their employees worked on in the office, which allowed them to both monitor data flows to and from those devices, and to preprogram those devices with security protocols. Likewise, those devices were able to connect to the internet via the corporation’s VPN. A VPN allows a user to use the internet undetected and prevents their digital fingerprint from being traceable. With people working from home, neither of these conditions are being met.

In large part, the working from home population is using personal devices to perform job duties. Two different surveys, one conducted by McAfee, and the other by Crowdstrike, presented evidence that details how often people are using personal devices. McAfee estimates that usage of unmanaged devices has doubled in Q4 of 2019, and 60% of Crowdstrike’s survey respondents reported using them as well. Those devices are unsecured by the corporations, which both opens them up to attacks that normal security protocols would stop and prevents corporations from being able to trace stolen data.

In addition, the networks that many employees are using to access corporate platforms are unsecured. Some of those working from home are not routing their connections through their corporation’s VPN, which results in their online presence being detectable. For those employees who do not have VPNs at home, there is an increased risk of targeted malware delivery. In that sense, threat actors present a direct risk to employees who are working from home, but they also threaten the corporations.

Since the work from home orders in early 2020, there have been dramatic increases in the usage of two distinct mechanisms through which the labor force has been able to work from home. One of those mechanisms is collaborative cloud services, which includes such platforms as Zoom, Cisco Webex, and Microsoft Teams. McAfee estimates that the overall increase in cloud service usage across businesses has been close to 50%. Since January, McAfee estimates that Zoom usage has increased 300%, that Teams usage has increased 350%, and that Webex usage has increased 600%. Broken down by industry, McAfee’s data demonstrate that manufacturing and education are leading the charge in terms of service usage, with 144% and 114% increases, respectively. In short, platforms like Zoom and Teams have become vital to the efficacy of the remote workforce.[1]

The second mechanism that has enabled workforce to work from home has been the widespread usage of a Microsoft feature called Remote Desktop Protocol (RDP). In essence, RDP allows an
administrator to grant remote access to corporate technology (desktops, data, etc.) to certain users. An employee working from home would simply need to login with a username and password, and they would have access to everything that they used to have: their old desktop in the office and relevant corporate data. Together, the use of RDP and collaborative cloud services have been the backbone of the remote workforce. However, the increased usage of both of these mechanisms has given threat actors a greater opportunity to exploit those trying to keep working.

It is common knowledge in the cybersecurity community that threat actors will attack the platforms or services that have the most potential to yield success. The current situation with the global pandemic is no different, and threat actors have been targeting the decentralized workforce with pandemic-themed attacks since January. Threat actors understand that the pandemic has created a widespread sense of insecurity, particularly among the remote workforce, and they are capitalizing on it. By crafting malicious content with information from the CDC, the WHO, or by creating false advertisements for protective equipment, threat actors are playing on people’s fear of the pandemic and using it to their advantage.

McAfee has observed a 61% increase in attempted cyberattacks in the U.S. between Q4 of 2019 and Q1 of 2020, and much of that activity is attributable to these kinds of pandemic-themed attacks. Almost every single major industry, from transportation to education and manufacturing, has experienced a dramatic increase in attempted attacks. This points to the opportunism that is so characteristic of threat actors.[2]

In addition to the data from McAfee, our research team from the Sanford School of Public Policy at Duke University and The Media Trust, a cybersecurity company, has generated data around the cyber risks faced by the remote workforce. The Media Trust created synthetic profiles of remote employees, designed to emulate the characteristics of individuals working from home. The synthetic profiles use web browsing to crawl popular websites, and The Media Trust records how the digital ecosystem interacts with the profiles.

Over the course of three weeks in October, 2020, the remote worker profiles scanned the internet 457,730 times. Of those scans, The Media Trust recorded 1,587 malicious incidents. Incidents are defined as any interaction where a synthetic profile interacts with some form of undesired, third-party code on a website that attempts to do something malicious. Undesired code can take a number of different forms as attackers use different kinds of attacks to attempt to install malicious software or extract user information, but one kind of attack stood out far above the rest. 1,414 of the attempted attacks used browser add-ons or plugins to disrupt the synthetic profile’s browsing session. This kind of attack delivers code that attempts to install add-on programs to the user’s browser. Many of those programs contain malicious software, such as invasive toolbars, ads that obstruct and interfere with web browsing, cause pop-up and pop-under ads, overriding search engines and home pages, and altering search engine results. The first of the two charts at the end of this article, which contains the quantitative analysis of the undesired third-party code by category, demonstrates the volume of the browser add-ons observed in the dataset.

In addition to the remote worker synthetic profiles, the research team from Duke and The Media Trust has been collaborating on another study for the past six months. The Media Trust has created synthetic profiles of Duke University students and faculty in order to understand the cyber risks that the university population faces. The research team analyzes the findings from the Duke synthetic profiles every month, and publishes articles with those findings that can be found here. The team analyzed the October dataset recently and has created a graphic (the second of the two charts at the end of this article) that depicts the data trends from the Duke synthetic profiles modeled against the trends from remote worker synthetic profiles. It should be noted that key variables between these datasets are dissimilar, such as total scan volume, number of individual scanners, and frequency of scanning. However, a broad look at this comparison demonstrates that browser add-ons and plugins are a popular choice for attackers looking to target both Duke students and faculty members, and the remote workforce. The second graphic models the volumes of browser add-ons against the total number of incidents on a given week for both the Duke synthetic profiles and the remote worker profiles, where the Duke synthetic data is denoted with the prime symbol.

Not only are threat actors targeting the remote workforce with attacks that purport to provide information about COVID-19, but they are also targeting the mechanisms that make working from home possible. McAfee has observed that the transportation and education industries, which have become the most reliant on cloud services, have experienced increases of over 1,000% in the number of attempted cyberattacks. When employees use their home networks to connect to these services and share information, like documents and attachments, that information is unprotected by the corporate VPN. By connecting to the internet through unsecured networks, employees expose the information that is passed through the cloud (which includes their own login credentials) to threat actors. This is not the worst of it, though.

Attacks on cloud service users are bad enough, but the widespread usage of RDP has prompted a surge of activity in criminal markets called RDP Shops. These markets are where RDP login credentials (usernames and passwords) can be bought, sold, and resold. The reason why RDP works so well for the remote workforce is that it serves a gateway between the remote worker and the information in the corporate network. Admins have the ability to discriminate as to which user(s) have access to which kinds of information, but that information is still inside the corporate network. As a result, if a worker’s RDP credentials are stolen and used by a threat actor to sign into the system, that actor now has access to portions of the corporate network. Given the right set of skills and the right technology, they could infiltrate sensitive corporate data from inside the corporate network. They could also plant ransomware inside the network and demand that the corporation pay to an anonymous online wallet, or else risk losing vital information.

Because the pandemic is still forcing people to isolate, working remotely is unlikely to change in the near future. It may be that, for some industries, working remotely becomes the standard for the foreseeable future. Just as security teams originally adapted to the threats that were presented to the workforce in the office, now they must adapt to the threats that affect the remote workforce and the businesses that they represent. Both McAfee and Crowdstrike have been monitoring and analyzing threat actor activity since the pandemic began, and they have compiled a list of best practices for those working, and those in charge, to adopt. From McAfee, those practices can be found here, on page 9; from Crowdstrike, they can be found here, in the “Key Practices” section. Until those practices become commonplace, though, employees and businesses are at risk when they log onto cloud platforms like Zoom or interface with RDP.

[1] Christain Baak, et al., “McAfee Labs COVID-19 Threats Report, July 2020,” (McAfee Labs, July, 2020), https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-july-2020.pdf