Security Experts:

Spike in Company Compromises Correlates With Lockdowns

Dramatic Increase in Company Compromises Correlates with Coronavirus-Sparked Lockdowns 

At the end of March 2020, researchers detected a spike in the number of firms potentially compromised each week. Previously, the number in Finland per week was around 200. Now it suddenly jumped to 800 -- and the reason is a cause for concern.

Finland-based Arctic Security -- a firm that develops and operates a threat intelligence analysis platform -- has analyzed data provided by Team Cymru. It found the same pattern of increasing potential compromises began in January to February, gathered pace in February to March, and repeated across at least eight European countries (Sweden, Norway, Denmark, Netherlands, Belgium, UK, Austria and Italy); and also the U.S. In the U.S., potentially compromised organizations doubled between January and March.

Interestingly, Arctic Security did not analyze individual IPs (which would relate to individual devices), but used the 'pure signal' data provided by Team Cymru to map potential threat data to network owners; that is, effectively to companies or public sector agencies rather than users. This is where the data gets interesting, because the potential compromises of IPs did not significantly increase, while that of networks did increase. 

"Analysts looking for an increase in the number of compromised IPs or an increase in the number of observed compromises per IP will not see a marked increase," commented Lari Huttunen, senior analyst with Arctic Security. "However, the number of malicious connections to the Internet coming from organizations has increased, and only Team Cymru was able to show us this differential."

Attempting to understand why indications of compromise from networks increased sharply while those from individual devices did not, leads to a surprising suggestion -- the networks were already compromised, but for some reason that compromise has suddenly been activated.

Arctic Security noticed one common factor across the different countries it analyzed -- all had been affected to one degree or another by COVID-19 lockdowns and subsequent increases in working from home. "This means," say the researchers, "the number of people using a VPN to connect to their companies' systems have increased by orders of magnitude."

The researchers believe that many office workers now working from home are using company provided equipment -- in fact, the same devices they often used at the office pre-lockdown. The researchers believe that these devices were already compromised, but that any malicious activity -- such as receiving commands from a C&C -- were constrained by the company firewall and other security controls.

However, once the device was removed from the office and taken home, outside of the company security perimeter, that constraint was removed, and the compromising malware could receive new instructions from the criminals' C&Cs. Rather than residing inside the company's security perimeter, the device was located outside but connected to the company network by a VPN. "It appears," say the researchers, "as though these computers were already infected before COVID-19, and it seems that malicious connections normally blocked by on-premises security solutions do not work as well, when people are using a VPN to connect into their employers' networks."

"Our analysis indicates that the employees' computers were already hacked before COVID-19 made the news, but were lying dormant behind firewalls, blocking their ability to go to work on behalf of the threat actors," explained Huttunen. "Now those zombies are outside firewalls, connected to their corporate networks via VPNs, which were not designed to prevent malicious communications."

If this analysis is correct, the implications are quite severe. Firstly, it suggests that companies have many more compromised, but largely dormant, devices on their networks than they realize. This in turn suggests that organizations are still concentrating on data center perimeter defense rather than potentially mobile endpoint defense.

Secondly, it highlights limitations in internal visibility if network defense is over-reliant on analyzing in-bound traffic and potential threats outside of the perimeter. The company device, already compromised but constrained while inside the network, is suddenly freed from the internal controls while communicating from outside via a trusted VPN.

This suggests that the sudden increase in working from home with VPNs has turned passive network compromises into active network compromises. It is the consequent increase in 'pure signal' data detected by Team Cymru and analyzed by Arctic Security that has led to these conclusions. 

"News coverage of the recent uptick in cyber threat activity is showing an incomplete picture," said Team Cymru. "Despite the focus on VPN hacks and attacks at home, the research indicates that computers at more than 50,000 organizations in the US had been infected prior to stay-at-home orders. Researchers say they are witnessing previously infected computers being activated now that their malicious communications are no longer being blocked by corporate firewalls."

"These observations mean that the criminals have control over resources at an increased number of victim organizations," commented David Chartier, CEO of Arctic Security. "This research helps illustrate the fact that cyber security issues can fall through the cracks of an organization's layered security approach."

The worrying aspect is that no new initial device compromise is necessary, nor any malicious abuse of the VPN required. The network trusts the device because it is a company device, and trusts the VPN connection. The unknown element is that the device had already been compromised. "We are witnessing the limitations of traditional internal security tools and processes," said Chartier.

Related: Remote Work is Not New, but it is the New Normal 

Related: How to Address the Surging Need for Secure Remote Access to OT Networks 

Related: Patching Pulse Secure VPN Not Enough to Keep Attackers Out, CISA Warns 

Related: Google Sees Millions of COVID-19-Related Malicious Emails Daily

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.