The following is a guest post from Cameyo, a fellow Digital Workspace Ecosystem Alliance (DWEA) member. As a DWEA member, Cameyo is committed to the organization’s mission of producing and sharing vendor-neutral content to help organizations better navigate the digital workspace landscape, and we believe this post will be of interest. You can learn more about the DWEA here.
Ransomware is a sinister threat to your data and business-critical systems, and one that has been increasingly targeting remote & hybrid workers since the beginning of the pandemic. The threat landscape is growing and as we’ve seen with major attacks across multiple industries and sectors recently - from the Colonial Pipeline, to JBS Meatpacking, to Kaseya - no business is immune to a ransomware attack.
Remote access systems and protocols have long been a favorite target of cybercriminals using ransomware. And as most organizations have heavily pivoted to remote access solutions since the onset of the pandemic, the attack surface of the newly evolving digital workspace is growing larger.
In this post we’ll discuss the threats that exist within the digital workspace and how organizations can protect themselves.
Already this year, large-scale ransomware attacks have made major news headlines. On May 7th, 2021, Colonial Pipeline was targeted with a ransomware attack from a criminal hacker group known as "Dark Side." The attack took down critical systems and infrastructure. The fallout from the ransomware attack resulted in the shutdown of 5500 miles of pipeline, effectively eliminating half of the fuel to the United States East Coast. The shutdown led to panic buying and fuel shortages for days.
Cyberattacks are increasingly featuring ransomware. The Group-IB LLC, a cybersecurity provider, noted the number of ransomware attacks was up by 150% in 2020. This increase also includes a 200% increase in the extortion amount. According to Cybersecurity Ventures, ransomware will attack a business every 11 seconds by the end of 2021. In addition, the costs of ransomware attacks are projected to be $20 billion. These figures represent a 57X increase since 2015. It shows just how effective and successful ransomware attacks have become.
More figures showing the escalating nature of ransomware:
Experts agree that remote connectivity to corporate resources, born from the unique productivity needs of the pandemic, has created the perfect storm for ransomware. John Hammond, a cybersecurity researcher at the security firm Huntress, put it this way:
When you are working from home, you are not behind the castle walls anymore. You are working with your own devices, away from the safe perimeter of corporate networks.
IT and network teams have been forced to open network connectivity in ways that may not have previously been allowed before shifting to the distributed workforce. This shift facilitates the growing demand for remote workers and flexibility of communicating with corporate networks to access internal resources. In addition, many more users may now have access to VPN clients, RDP connections, and other remote connectivity.
Each new network "exception" that may be allowed to remote workers opens a hole in the organization’s armor. It can make it much easier for hackers to enter the internal network and compromise business-critical data. In addition to the sheer number of network allowances made this past year, the types of remote technologies used to access the digital workspace are often legacy and antiquated. This leads to additional cybersecurity risks.
What are considered legacy remote access technologies at this point? For decades, organizations have historically used technologies such as Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) to connect to internal corporate resources. While these have worked well in the past, they were never designed to scale to a situation where most people work remotely, and they introduce significant security challenges.
Remote Desktop Protocol (RDP) has been notorious for security-related vulnerabilities that have led to widespread ransomware infections. A recent analysis of popular Remote Desktop clients was found vulnerable with over 25 vulnerabilities to note amongst with the three clients analyzed. A total of 16 of these were classified as major vulnerabilities.
Time and again, Microsoft has announced vulnerabilities found in RDP, leading to a scramble to patch affected Windows Servers and desktop operating systems. In May 2020, Microsoft announced another vulnerability, CVE-2019-0708, dubbed BlueKeep. Hackers can also use the leaked NSA tool called EternalBlue, which uses the BlueKeep exploit to unleash a wormable virus that would look like the NotPetya attack on a global scale.
Aside from the security vulnerabilities and zero-day exploits found in RDP, it is highly vulnerable to brute force attacks when placed on the public Internet. Hackers, bots, zombie machines, and other malicious traffic on the Internet will readily attempt to brute force user accounts to find accounts allowing access on an exposed RDP endpoint. A compromised user account and an exposed RDP server can lead to an attacker coming right in the "front door" of your digital workspace, potentially with high-level account access to connect to sensitive resources.
Microsoft never intended RDP to be placed in the perimeter with the RDP endpoint exposed. However, this is the easiest way for businesses to stand up remote connectivity for end-users, especially in a time crunch as seen in the beginning stages of the pandemic. To engineer the RDP environment properly, organizations should use the Remote Desktop Gateway server, which tunnels RDP traffic over HTTPS connections instead. Insecure RDP connections can lead to increased vulnerability to ransomware attacks.
The traditional Virtual Private Network (VPN) connection can also increase risks for a ransomware attack. Like RDP, VPN connections can be misconfigured, use weak passwords, and lack two-factor authentication, which can easily lead to compromised credentials allowing an attacker to make unauthorized connections to internal resources.
VPN connections also allow a potentially insecure end-user machine to become part of the corporate network, exposing all other corporate network resources to any malicious software that may have infected the end-user client. Thus, VPN connections are logically like taking a long patch cable and extending the patch cable to the end-user client.
The patch cable makes the client part of the corporate network. There are ways to restrict VPN connectivity to limit the scope of which resources a client can connect, but this configuration again is another possible area where misconfiguration can happen or get neglected. VPN credentials are also a weak link in the overall security of remote access technology.
Suppose a user account password that is granted VPN access to the corporate network is compromised. In that case, an attacker essentially "becomes" that user and can connect to the VPN tunnel. As a case in point to the danger of compromised credentials with remote access technologies, the Colonial Pipeline hack has since been attributed to a leaked VPN account password.
According to Charles Carmakal, senior vice president at the cybersecurity firm Mandiant:
"Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company's computer network…."
The account, used by a former employee, was part of a list of breached passwords found on the dark web. The VPN account also did not use multifactor authentication, making it even more vulnerable. It shows just how fragile and insecure remote access solutions can be if these are not appropriately secured.
With the significant ransomware threats to your business and the demand for hybrid connectivity at an all-time high, how can you protect your digital workspace? Let's focus on the following five areas:
As mentioned earlier, some organizations may be relying on remote access solutions that have been around for a decade or longer. Therefore, it would be wise to evaluate your current remote access technologies and how end-users are accessing digital workspace resources today. Are there multiple technologies that allow users to gain access to the internal corporate network? Is remote access for end-users overprovisioned? Do users have access to full desktop environments when they only need access to a few applications?
You should audit which users have access to current remote access solutions and evaluate if access needs to be removed for any users who no longer need it. In the Colonial Pipeline ransomware attack, a former employee's account was still active with a breached password. This stale account was used for unauthorized login via VPN. With proper auditing, stale accounts should be removed regularly to reduce the attack surface.
If your business uses legacy or improperly configured remote access solutions such as an RDP server exposed to the perimeter or unrestricted VPN connectivity, now is the time to reevaluate remote access strategies and technologies for end-users to access digital workspace platforms.
Cybercriminals are feverishly attempting to compromise credentials in your organization, as can be seen with the number of phishing attacks targeting most businesses. Valid credentials, if these can be compromised, provide an easy way into your network. Again, using the Colonial Pipeline ransomware attack example, all it took was a set of compromised VPN credentials to take down a massive pipeline operation shutting down 5500 miles of infrastructure.
The user account was not secured using multifactor authentication (MFA). With multifactor authentication, even if attackers gain access to a valid user account and password, they still do not have all the information needed to authenticate. While not the "end all, be all" of user credential security, it significantly bolsters any organization's cybersecurity to implement MFA across the board, both for on-premises and cloud resources.
As businesses evaluate current remote access technologies and access, it can become apparent that some users with access to full virtual desktops may only need access to applications instead. Often, only power users need full virtual desktop sessions made available remotely. Using virtual application delivery instead of full desktop sessions drastically reduces the attack surface. Additionally, businesses may no longer need to allow VPN connections to the internal network with virtual application delivery. The application is made available to a user instead of opening the entire network to run a few applications. Thus, it serves as a much more efficient and secure approach.
Pivoting from full desktops to virtual application delivery can also have a cascade effect on security. Many businesses find they need fewer resources and infrastructure when delivering applications instead of full desktops. As a result, the attack surface is significantly reduced when an organization has fewer resources to maintain, patch, and secure.
As is highlighted in the Colonial Pipeline attack, breached passwords can come back to haunt an organization, especially if credentials make it to the dark web and into the hands of cybercriminals. Unfortunately, most identity and access management solutions in the enterprise today (Microsoft Active Directory as an example) do not provide native breached password protection.
For the most part, outside of open source solutions, businesses must look to third-party solutions to introduce these capabilities into the environment. These third-party solutions generally implement large breached password databases and scan your environment to ensure users are not using breached passwords. Breached password protection can significantly increase account and password security when used in tandem with multifactor authentication.
In the traditional networking model, internal networks were considered secure and "trusted." However, with the ransomware threats posed to businesses today, this model is no longer a safe way to operate your network. Instead, hackers hope that companies operate with the mindset of having a "trusted" LAN. Unfortunately, cybercriminals have been all too successful in using phishing, malicious websites, and malicious emails to infiltrate the internal network. Once there, they have free reign over the "trusted" network as there are generally little to no security boundaries in place.
Modern and secure network topologies view everything as untrusted and potentially malicious, including the internal network. Additionally, even with services placed in the DMZ or edge network, look for solutions that segment and separate devices from the network to prevent access to your data, prevent lateral movement, and wipe user data after every session. Finally, a zero-trust model, based on identity, prevents the age-old problem of having RDP servers continually open from the Internet and subject to nonstop brute force attacks and password spraying.
Ransomware represents arguably the greatest threat to your business-critical data of any modern cybersecurity threat. And with the accelerated evolution and migration to remote and hybrid work technologies brought about by the pandemic in 2020, remote connectivity and access to digital resources are critically important.
With this tremendous shift to "open" connectivity and access from anywhere and any device, cybersecurity in the digital workspace must be a focal point now more than ever. But, unfortunately, hackers are using the new doorways into environments to launch massive and relentless ransomware attacks worldwide. Choosing intelligent, effective, and secure remote access technologies and evaluating the tools and security measures in place will allow businesses to embrace the digital workspace with confidence.
