Organizations worldwide implementing mandatory work from home approaches to protect the health of their employees now have numerous issues with regards to cybersecurity and the underlying infrastructure. Many companies plan to remain in this new working model despite the re-opening. Here is a quick outline of the security concerns and possible remediations these organizations could take on.

As work-from-home became the “new normal”, employees were quickly exposed to vulnerable WiFi networks and had to deal with unhardened devices. Larger companies admitted better preparedness, as many already had a culture of remote working in place. However, other businesses, especially those which rely heavily on on-premise network security protocols, had difficulty adapting to a new working model so quickly.

Home networks have always been a target for botnets and phishing scams, however, hackers saw this window of opportunity expand with the outbreak of COVID-19 due to an exponential increase in remote work as the company perimeters expanded to employees’ homes.

1- Phishing Sites and Scams

There has been a 600% increase [1] in COVID-19 related phishing attacks in the first quarter of 2020. The hysteria and paranoia associated with COVID-19 pandemic is being leveraged by hackers and cyber criminals as a weapon to steal passwords and data. Coronavirus-related domain registrations are 50 percent more open to malicious actors [2]. 

A spike in COVID-19 drug-related phishing domains starting in March is just one example. Some of these domains used attributed government websites to increase their credibility.

Sending spoofed emails to corporate accounts in critical sectors is another phishing tactic hackers leverage.  According to the “Covid-19 Cyber Threat Coalition”, a newly established group of cybersecurity professionals, the most common coronavirus related threats are  [3] credential phishing (33%), scams (30%) and malicious documents as attachments (18%). Recent email scams targeting the healthcare sector pretend to come from WHO or the CDC, while attackers pose as FINRA executives for the financial sector workers.

2-  Home Networks

Since 2008, botnets have become increasingly popular among hackers in an attempt to carry out sophisticated attacks, such as DDoS and cryptocurrency mining. Botnets are typically formed by hacking home PCs or IoT devices which are known to have vulnerabilities. 

Ranging from home routers to surveillance cameras, IoT devices usually lack the built-in ability to be remotely patched and thus have become a new target for botnets over the last few years. These devices can be recruited to the “botnet army” via unprotected network ports, trojans, or other malware spread by spam.

Recent findings [4] highlight the widespread infection of the Mirai botnet on home devices.  Mirai takes advantage of vulnerable IoT apps, scanning  internet blocks for open Telnet ports, and then uses the default passwords for log-in. At its peak, Mirai had 400,000 devices connected to it from telnet scanning alone.

Shodan search for telnet
A shodan search for open telnet port

The problem with routers is they come with predetermined sets of usernames and passwords, allowing cyber criminals to bypass protection. Changing the default router password is highly recommended for users to increase security. 

Routers, like any hardware, have vulnerabilities that can inject malware into a home network. Cybercriminals can simply use a tool to scan for vulnerable routers and trigger those vulnerabilities just as the cybercriminals did in Mirai botnet.

When exploited, these security vulnerabilities can put sensitive information at stake and allow cyber criminals to start denial of service ( DoS) attacks.

3- Use of corporate credentials across different platforms

Employees using different applications like home-schooling, gaming, online meeting tools, etc., often use the same password as their corporate accounts. When these applications leak data, the credentials with or without passwords are exposed to cybercriminals. Hackers usually sell these credentials on the dark web and do not mind sharing the information with each other. It’s common for hackers to leverage these sources (not the company itself) in crafting their attacks, in either credential stuffing or phishing scams.

Credential Stuffing

Hackers use this method to infiltrate a company’s system by automated injection of previously breached username/password pairs. When successful,  they gain access to internal resources.

Phishing Scams

Leveraging breached credentials is the initial vector of a phishing email campaign. Phishing attacks trick consumers into thinking they are from legitimate sources, such as the IT department or a peer organization they already trust. 

Recent scams against healthcare workers, pretending to be the IT-Service desk,  invite employees to participate in a COVID-19 related survey and register to a seminar. See an example below.

Phishing email healthcare

Steps that could be taken to alleviate the problem

Much like medical professionals suggest that frequent hand-washing is the best defense against the coronavirus, cybersecurity professionals emphasize employees need to be more careful about what they click on, such as not downloading an email attachment from an unknown source.

Simple steps to alleviate security issues include:

  • Use VPN, especially if you manage devices remotely, i.e. to third parties or other external suppliers
  • Check service banners (Error and welcome messages) 
  • Select a reliable and secure router (i.e. never buy used, a security solution embedded is recommended)
  • Change the default router password
  • Update passwords and switch on multi-factor authentication
  • Be aware of phishing attempts
  • Implement a strict security policy



Featured image courtesy: Image by Sarah Kilian on Unsplash