InfoSec Insider

Bad Actors Are Maximizing Remote Everything

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting ‘remote everything’.

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cybercriminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector.

What Malware Trends are Showing

Our FortiGuard Labs research team dug into the prevalence of malware variants by region for the second half of 2021. What they found shows a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector. The team found that various forms of browser-based malware were prevalent. Often, this takes the form of phishing lures or scripts that inject code or redirect users to malicious sites.

Detections vary across regions, of course, but can be largely grouped into three broad distribution mechanisms: Microsoft Office executables (MSExcel/, MSOffice/), PDF files and browser scripts (HTML/, JS/). Files packed with the Microsoft Intermediate Language (MSIL) are another common feature.

It’s worthy of note that some kinds of browser-based malware occupy the top spots in all regions. Such techniques have gained prominence recently as a way to exploit peoples’ desire for the latest news about COVID-19, politics, sports or any current headline. And since many are browsing from their home networks these days, there are fewer layers of protection between such malware and would-be victims (e.g., no corporate web filters).

The Rise of Exploit Kits

The use of exploit kits (EKs) is one element that has clearly helped cybercriminals in their efforts to execute malware. These kits are automated programs attackers use to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice.

Exploit kits work automatically and silently as they look for vulnerabilities on a user’s machine while they browse the web. Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit.

What’s especially insidious is that EKs don’t require victims to download a file or attachment. The victim need only browse on a compromised website, and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser.

Currently, older kits are available to the public. Attackers have been taking these older kits and modifying them, making them more resilient to newer security detection strategies. Also, many of these kits are being advertised for sale online. Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates.

Addressing the Remote Everything Security Problem

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

Another vital component and best practice of modern security strategy is the development of a holistic security mesh, wherein fully integrated security, services and threat intelligence seamlessly follow users on the road, at home or in the office to provide enterprise-grade protection and productivity across the extended network.

This simplifies and satisfies the demands of today’s three most common WFA scenarios: the corporate office, the home office and the mobile worker. Enterprises must secure mission-critical applications, so securing access to those applications, the networks to connect to those applications, and the devices that run those applications remain a vital component of a layered defense – even when working from a traditional location.

In the home office, risk lurks in the home networks that are often poorly secured with retail wireless routers and contain vulnerable IoT devices, which can be a pathway for hacker to gain access. And mobile workers regularly rely on untrusted and unsecured networks to access critical business resources. This can introduce unique threats, enabling cybercriminals to launch attacks against inadequately protected devices or intercept exposed communications.

A holistic integration of endpoint security, network security and ZTA/ZTNA addresses the challenges that WFA presents.

Criminals will make the most of any possible threat scenario, and the past two years have provided many opportunities for network attack. Malware trends and the rise of exploit kits have proven this point, and it’s now incumbent upon IT security teams to re-evaluate their security posture and adjust as needed. A comprehensive, integrated security mesh that accounts for all work possibilities is a best practice.

Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.


Suggested articles

Securing Your Move to the Hybrid Cloud

Infosec expert Rani Osnat lays out security challenges and offers hope for organizations migrating their IT stack to the private and public cloud environments.