The Cyber Sleeper Cells Lying in Wait for the Return to the Office

After months of operating as fully remote workforces, conflicting government announcements have left many organizations wondering how to manage all the uncertainty.

Research from the BBC found that 24 of the 50 biggest companies in the UK reported they had no plans to reopen offices at present. Conversely, 20 of the top firms have opened premises for those workers who could not sustainably work remotely. Split workforces, some office-based and others home-based, look set to become the norm.

However, while most attention is rightly focused on protecting staff from the risk of illness, many organizations are overlooking other equally invisible threats in the form of security compromises. Cyber-criminals have been busy exploiting fresh vulnerabilities exhibited by remote workforces over the last few months.

Many workers returning to the office could be unwittingly connecting to the corporate network with devices that have been covertly compromised by attackers while they have been at home. It’s a bit like a terrorist sleeper cell laying low until the time is right to strike.

Why home workers are more vulnerable to cyber threats

The sudden leap to a fully remote workforce meant security solutions and processes were quickly realigned to accommodate a whole new way of working. The resulting confusion gave attackers the chance to sneak in undetected. IT security teams have less oversight of remote employees, and most home environments are inherently less secure than their corporate counterparts.

Home networks are more likely to be misconfigured, with routers set to default passwords and protocols exposed to the internet. Users could also be plugging their corporate device directly into their home Wi-Fi modem in search of more reliable connectivity – potentially without a firewall. Remote workers are also much more likely to be using their corporate devices for non-work reasons, opening personal emails, visiting entertainment websites and playing games.

Conventional boundaries between home and work have become blurred and the chances of accidentally exposing company devices to phishing sites or malware download links are more likely.

The threat actors with remote workers in their sights

Attackers have quickly adapted their tactics to exploit any employee mistakes. Interpol secretary general Jürgen Stock has cited the “alarming pace” of their ability to develop and boost their attacks to exploit the instability caused by the virus and resulting lockdowns.

Many attackers have also changed tack to exploit vulnerabilities inherent in remote working, targeting tools such as VPNs. One of the most common VPN threats is the brute-force attack. Brute force VPN attacks experienced a 60 percent rise in the first couple of months of lockdown. Also known as credential stuffing, attackers bombard the VPN portal with credential sets stolen in previous incidents in the hope they will be authenticated.

Although a great many stolen creds will be out of date, the threat actors just need one working combination to gain a foothold.

With many IT and security teams coming to grips with a fully remote workforce for the first time, a compromised VPN stands more chance of flying under the radar. We have seen companies inadvertently make the attackers’ job easier by disabling the built-in lockouts and restrictions on VPN connectivity to aid business continuity or reduce IT overheads.

Waiting until workers return to office affords attackers more direct access to the corporate network. From here, they can easily move laterally without raising the alarm, enabling them to exfiltrate more sensitive information or carry out a targeted ransomware attack.

Best practice for returning to office

Stopping sleeper cell-style attacks before they are activated demands a multi-pronged approach. First, firms should aim to bolster the protection of their remote workers. Detection of abnormal authentication behavior such as brute force attempts on VPN and Active Directory will help mitigate the most common tactics.

Elsewhere, deep inspection of DNS and web proxy traffic will help identify malware sending command and control instructions hidden in HTTP and DNS communications. Ideally whenever a worker returns to the office, any devices they bring with them need to be quarantined in a separate network until they have been fully scanned for hidden malware.

Similarly, returning devices should not be allowed to connect automatically to the host network when the user sits back at their desk.

Finally, organizations should take multiple precautions in case attackers have successfully compromised a machine brought back to the office. For example, a least privilege approach backed up by strong user access controls ensures users are only able to access assets relevant for their role.

Such measures make it harder for attackers to escalate privileges and move laterally through the network without being detected. Behavioral analytics can help to identify the subtle signs of an imposter using a stolen login or compromised device.

Threat actors deploying sleeper cell tactics are some of the most patient criminals around, willing to wait months to execute their strike and seize their prize, but with the right precautions in place, security teams can ensure the attackers will have gone to all that trouble in vain.

What’s Hot on Infosecurity Magazine?