Remote access tools, like TeamViewer and AnyDesk, alongside Internet of Things (IoT) devices, are becoming increasingly more common on corporate networks, for better or worse.
There are many benefits to these tools, like supporting teams to work more efficiently and productively; however, like any boom in new tech, cybercriminals are finding ways to actively exploit these tools, and, in some cases, they’re helping cybercriminals get around an organization’s otherwise robust security defenses.
Yet, securing these points of access is often overlooked by teams looking to secure their organization’s attack surface.
Holistic security architectures are rarely considered when it comes to remote access or IoT devices, with security teams often blocking one hole and leaving another open.
In fact, many enterprises are using smart devices with zero controls in place to mitigate the risks presented. This article will discuss how security teams can ensure that their organization’s security defenses protect the entire attack surface, including remote access tools and IoT devices.
Why Remote Access Tools Are Popular Entry Points
As previously mentioned, the security of remote access tools often gets overlooked at the expense of ease of use and deployment, two pain points for time and resource strapped teams.
Many organizations opt for using remote access tools because they’re easy to set up and deploy, often leading to a focus on functionality over security during initial implementation.
The same applies to IoT devices. However, not all of these tools are built with security in mind, leaving organizations at risk. In some cases, users might blindly trust that the software or tools that they’re using is secure.
Many may come with default passwords and standard authentication systems, which need additional security layers, like multi-factor authentication (MFA) and zero-trust network access (ZTNA) strategies, to protect them.
In general, global government ‘Secure by Design’ schemes, like the UK’s Digital Security by Design (DSbD) initiative, are aiming to change this by prioritizing security in the building process, but this will take time to implement.
What’s more, not all users may fully grasp the security implications of improperly secured remote access tools and IoT devices. Whereas employees are often educated on the risks of more traditional attack vectors, like phishing, remote access software risks may present a security knowledge blindspot.
Users need to understand the severity of risks that attack vectors like these pose. One way organizations can do this is by bringing these sorts of attacks to life through real life examples.
Not a Fairytale: Getting Around EDR by Exploiting a Webcam
Take the recent AnyDesk remote access exploitation that allowed ransomware group Akira to successfully deploy ransomware via a webcam. The Akira ransomware group initially compromised the network via the remote access solution, subsequently deploying AnyDesk for persistent remote access. They mimicked typical administrator activity by employing Remote Desktop Protocol (RDP) to navigate network servers.
A password-protected ZIP file containing the 'win.exe' ransomware binary was then deployed on a Windows server. Fortunately, security protocols intervened, and the endpoint detection and response (EDR) solution quarantined the file, preventing damage.
The incident should’ve stopped there, with proper flagging by the solution and investigation by the security team. A good EDR solution should flag any abnormalities on the network for thorough investigation to avoid further damage.
In this case, undeterred, the cybercriminals persisted. Their internal network scan identified a vulnerable webcam, likely lacking robust security and EDR protection, as a new target.
Upon further reconnaissance, they discovered the webcam was unpatched against critical vulnerabilities, operated on a Linux OS enabling command execution, and lacked on-device behavioral detection. IoT devices, like webcams in this case, usually fall under the radar when it comes to security, like remote access tools, leaving them vulnerable to exploitation.
Executing swiftly, the cybercriminals deployed their Linux-based ransomware, targeting the webcam. Their choice of the SMB protocol facilitated successful communication with the server. Consequently, the ransomware attack commenced, encrypting files across the network.
This attack raised many critical questions, including what can security teams learn from this incident.
Back to Basics: Evolving TTPs Don’t Necessarily Need Novel Solutions
Largely, ransomware gangs are consistent. They stick to what works and is profitable. In many cases, having the basics covered, like thorough network monitoring and regular patching, can mitigate excess risk.
"Largely, ransomware gangs are consistent. They stick to what works and is profitable"
Organizations should regularly conduct external scans and look at high risk vulnerabilities on the network. These scans show the organization’s posture from an outside world perspective, similar to how a threat actor would search for appropriate (and easy) ‘ins’.
On a scan like this, the external webcam (and other IoT devices and any insecure remote access tools) would’ve been picked up as a security risk.
Similarly, old vulnerabilities that haven’t been patched properly are still being exploited. In many cases, cybercriminals don’t need to reinvent the wheel when it comes to developing new and novel techniques, tactics and procedures (TTPs) because the old ones continue to yield success.
We must also move away from the assumption that if a threat actor fails, they’ll simply give up. This, as the above case shows, is plainly untrue. When the reward is high, cybercriminals will push to get into a network and deploy ransomware by any means.
This is why it’s always better to assume that attackers will pivot, as a result it’s critical for organizations to take a multi-layered approach to defense strategies. Segmenting the network properly, for example, is an important step and, in this case, could’ve stopped the ransomware gang from moving across the system.
Finally, keeping up with current threat intelligence is important for security teams. Yet, there’s so much intelligence in the world, so it’s important to cut through the noise. This further relates to alert fatigue (becoming overwhelmed by alerts and false positives that the actual threats get – or are likely to get – missed) and having too many tools to manage.
Sometimes less is more! Prioritizing the threats that matter is important. Most of the time, the information about ransomware gangs and their common TTPs is out there, allowing teams to understand how ransomware gangs work and how best to defend against them.
However, this information must be kept on top of and prioritized appropriately, which can be hard to manage. Working with solutions that can reduce noise and prioritize what matters is key, especially when managing entire networks across organizations.
Regular Network Monitoring
As threat actors become more persistent, we must become more thorough when it comes to holistic protection. It is important to regularly scan, map and monitor networks, making sure all devices and software on the attack surface are accounted for – including IoT devices and remote access tools.
Monitoring all smart devices on the network is especially critical and requires dedicated focus. Organizations are taking a significant risk by not locking down the traffic originating from and destined to IoT devices. If not properly segmented, monitored and secured, these devices can be an open door for attackers.
Whilst the aforementioned ransomware attack was successfully blocked, the incident response highlights another area of concern – better prioritization of security alerts and faster action by internal teams. When a ransomware attack is stopped in its tracks, it should trigger an all-hands-on-deck response.
This includes a full investigation into how the threat reached the network in the first place and the swift implementation of preventative measures to avoid future attempts.
RDP continues to be a go-to tactic for threat actors. It allows them to blend in with legitimate admin activity, making detection harder and lateral movement easier. Security teams must therefore reassess their internal policies regarding RDP use. RDP access should never be permitted without close monitoring and additional layers of verification.
Zero trust principles should be applied holistically across the organization, especially for domain-privileged accounts, which have the potential to inflict the most damage when compromised.
In short, the attack surface is broader than many organizations realize, and attackers are counting on that. A multi-layered, proactive security approach that includes full visibility, strong access controls and real-time monitoring of all connected devices is not just best practice, it’s essential.