In this article, we describe in detail 3 real-world cyberattacks that you may be exposed to whilst working from home (remote work). We also explain how you can take practical steps to protect yourself from such attacks.

 

HOW DO CYBERCRIMINALS EXPLOIT REMOTE WORKERS?

Individuals working from home typically have less IT resources than businesses in terms of IT security and are a prime target for hackers who wish to exploit this weakness. This is also reflected in the measures taken by companies who focus primarily on their external network defences (firewalls, network vulnerability probes, etc.), and often overlook introduction of individual security measures for each workstation.

 

But how does this lead an attacker to target you when you are working from home? For this article, we are excluding threats that come directly from the Internet – your Internet router acts as a firewall – and intrusions by a malicious person into your home, which, in itself, is a rare phenomenon in the world of cyberattacks. However, two serious threats remain:

 

  • Unfiltered Internet use on a work computer (or use subject to fewer limitations than at your ordinary workplace). Increased risk of downloading an infected file, opening a malicious attachment, etc.;
  • The presence of other equipment on your local network. If operated using the default configuration, the vast majority of Internet routers do not filter local network traffic.

 

Furthermore, this equipment (family computer, mobile phones, tablets... or even devices owned by your neighbour who may use your Wi-Fi network without your knowledge) may not be up to date and as such it will no longer provide adequate protection against online threats or it may be used to operate unsafe applications (downloads, cracked applications and games, browsing of age-restricted content, etc.).

 

Sending an e-mail containing an attachment infected with a RAT, Remote Access Tool (Excel macro, PDF reader vulnerability, or other executable “disguised” as a document, etc.) is all it could take - hackers intend the recipient to open the attachment on your vulnerable family computer.

 

Once the program has been executed, the attacker has a foothold in your local network. This exploits your network and leaves you vulnerable to further serious attacks. Access to shared folders, exploitation of a RCE vulnerability and exploitation of the LLMNR function are among these risks.

 

CYBERATTACK 1: ACCESS TO SHARED FOLDERS

The first risk is access to your shared folders. When you first connected your work computer to your local network, Windows asked if the network was a “private” or “public” network (or a “home”, “office” or “public” network, depending on the OS version). Working at home, you most likely, like the majority of people, clicked on “private” or “home” network. However, this action prompts Windows to decrease security measures and to trust other devices and equipment connected to your network. This means that other devices can discover and access your shared folders.

 

A cyberattacker with access to your local network can view your network-sharing rights, access shared files and retrieve confidential data you may have shared across your network. Depending on the configuration of your network and the shared files and folders concerned, they could even modify existing documents or add new documents to your network. This could include hiding a RAT (Remote Access Tool) in the same location as one of your existing files that will be triggered the next time you click to open the file.

 

Prerequisites

  • The attacker must already have gained access to your network.
  • You must have one or more files or folders shared with other devices on your network.
  • You must have set your local network as a “private” or “home” network on Windows.

Consequences of the cyberattack
  • Confidentiality and Privacy concerns: others have accessed your shared documents.
  • Loss of data integrity (depending on the configuration of the shared folders): modification and creation of new files.
  • Worst case scenario: attacker takes control of your personal computer.

 

Our remote working recommendations for CISOs

  • Force all computers connected to the network to set the new network as “public” and prevent users from changing the setting (Network List Manager Policies).
  • Prevent all users from sharing files and folders over the network.

Our remote working recommendations for users

  • When your computer connects to a network, do not set the network as a “private” network unless you have absolute confidence in all the equipment connected to the network.
  • Never share sensitive files or folders with anyone.
  • Never provide anyone with "write" permissions in relation to any of your shared files or folders.

CYBERATTACK 2: EXPLOITATION OF A RCE VULNERABILITY

Another risk you may encounter is the exploitation of a RCE (Remote Code Execution) vulnerability present on your computer. One example of such a vulnerability is CVE-2020-0796, also known as “SMBGhost”. This allows an attacker who has access to your local network to remotely execute code on your machine by exploiting the SMBv3 network sharing protocol. This kind of vulnerability is generally quickly patched and rarely communicated to the public before the release of the corresponding security update. It is therefore unlikely that this type of vulnerability will be exploited if your computer is fully up to date.

 

However, it is relatively common for business computers that are used for remote working to only update when connected to the corporate network.

 

You should be concerned about this, if for example during lockdown you received emails from your IT department inviting you to attend the office to allow them to apply important security updates to your computer.

 

Did you remember to go to the office after reading the email? If not, then you haven’t received the security update. Once the cybercriminal has infiltrated your network they can exploit such a vulnerability.

 

Prerequisites

  • The attacker must already have gained access to your local network.
  • There must be an unpatched RCE vulnerability present on your computer (update failed or, in rare cases, a 0-day vulnerability).

 

Consequences of the cyberattack

  • The attacker could take control of your computer.

 

Our remote working recommendations for CISOs

  • Implement a policy to update and manage security assets that remains functional even when computers are not connected to the corporate network.

 

Our remote working recommendations for users

  • Apply security updates as soon as possible and perform the reboot if one is requested.

 

CYBERATTACK 3: EXPLOITATION OF THE LLMNR FUNCTION

The last threat we will discuss is more sophisticated and includes tricking your computer into revealing your credentials to the attacker. As mentioned as part of the first attack, when a computer connects to a “home network” your computer then attempts to automatically identify all the services present on the network.

 

To do this, Windows uses several protocols, including LLMNR and NBT-NS, to send query requests. Windows will, for example, send a query across the network to identify if a service has the name “WPAD” in order to detect a proxy configuration. Your computer will then attempt to contact each of the various services detected on the network.

 

If any of these services require authentication, your computer will automatically log in with your user credentials. An attacker who has access to your network can exploit this process by responding to such query requests with fake services that require authentication, for example through the use of a Responder tool.

 

Worst case scenario (applicable to old versions of Windows and/or bad network configurations), the hacker will be able to recover your password using this process. Most of the time, the process will use a hash (netNTLMv1 or netNTMLv2) to break your password instead. The weaker the password (shorter words that exist present in a password dictionary etc.), the easier the password is to break.

 

Once the attacker has successfully obtained the password for your Windows account, the attacker can then connect to all online services connected to your company where the authentication process is based solely (without MFA) on the presence of the account (proxy, webmail, cloud applications, extranet, etc). Alternatively, they may use your password as part of a more complex attack from within your company network.

 

Finally, in the event that the hacker is unable to break your password, the recovered hash can still be used as part of “NTLMRelay” attacks. Although this threat is minimal within the context of an attack undertaken over your local network, it is still possible that such an attack could take place.

 

Prerequisites

  • The attacker must already have gained access to your network.
  • Your network configuration must use LLMNR and/or NBT-NS protocols (these are the default settings for Windows 10 “private” networks).
  • Your Windows password must be weak.

Consequences of the cyberattack

  • The attacker could obtain your Windows account password.

Our remote working recommendations for CISOs

  • Disable LLMNR and NBT-NS on all workstations in the company.
  • Force all computers connected to the network to set the new network as “public” and prevent users from changing the setting (Network List Manager Policies).
  • Implement a password policy that prevents the use of weak passwords.

Our remote working recommendations for users

  • When your computer connects to a network, do not set the network as a “private” network unless you have absolute confidence in all the equipment connected to the network.
  • Use a strong password.

 

Whilst gaining access to a local network to target a company or business requires a certain amount of motivation, these scenarios are fairly easy for a well-equipped attacker to implement.

 

However, it should be stated these are not the only threats. In general, remote working increases risks due to the following factors:

 

  • Increased exposure to threats for the company concerned over the Internet (VPN, extranet, etc.);
  • Lack of face-to-face exchanges which make it easier for “social engineering”, a hacking practice that is based on manipulation of individuals;
  • Growing use of work collaboration and remote discussion solutions that are sometimes not adequately secured.

This was true for the Zoom application, for example, where several RCEs were found during the first lockdown (CVE-2020-6109 and CVE-2020-6110).

 

During this period, a very large number of attacks and attempted attacks were recorded.

 

In order to adequately address the increase in the number and sophistication of cyberattacks, it is essential that IT system security be implemented on an individual basis and not just an organisational basis. Workstation security should be subjected to regular penetration tests and include measures to raise employee awareness of the risks inherent in cybercrime.
Share this article