You’ve seen it in every zombie movie: heroes have managed to lock dozens of the monsters safely up in a barn or warehouse somewhere. Then, someone comes along and opens the door. Cue the mandatory onslaught of shambling, brain-eating nasties. Now, it looks like the current COVID-19 health crisis has done something similar to our enterprise networks.
Security company Arctic Security, looking for suspicious activity from computers in Finland, noticed a sharp spike in the number of infected organizations. Normally, it sees 200 of these each week. In March, it saw the weekly number jump to 800. Wondering if this was a sign of something bigger, it expanded its analysis to Sweden, Norway, Denmark, the Netherlands, Belgium, the UK, Austria and Italy. Sure enough, it saw sharp spikes across those countries too. A quick check in the US saw the number of likely compromised organizations double between January and March.
The company was using data from Team Cymru, which is a security service that monitors network traffic across multiple countries. Rather than just focusing on bad IP addresses, it uses other signals from its threat intelligence service including data about malware types and command and control infrastructure, and claims to correlate attacks stemming from different organizations. Arctic Security said that looking at IP addresses alone wouldn’t have shown much of a jump, but using this data helped it to correlate the addresses with organizations. It was the rise in those per-organization infection rates that alarmed analysts.
Most of the activity it saw was from scanners, which are exactly the kinds of programs that attackers use when trying to find other machines to infect on a network.
The Arctic Security team correlated the spike in malicious connections with the rising number of people working from home as a result of lockdown or social isolation efforts during the COVID-19 crisis. It added:
“…it appears as though these computers were already infected before COVID-19, and it seems that malicious connections normally blocked by on-premises security solutions do not work as well, when people are using a VPN to connect into their employers’ networks.”
When using an infected machine in the office, the enterprise firewall will stop a scanner from reaching out to other machines on the internet, Artic’s team said. When you’re using that machine from home, the firewall is no longer in the way. Even if you connect to the office using a VPN, the scanner ignores it and uses your home network connection to look for other infection targets online.
What does this tell us? Securing remote workers is about more than ensuring you have proper videoconferencing controls in place. You must also ensure that any machines you send home with workers aren’t already harboring software pathogens of their own, just waiting for the chance to run wild.
