COVID19: Attack Through VPN

covid19 work from home

With tech giants like Facebook and Google confirming their employees could be required to work from home up until 2021, cybersecurity experts have been warning companies of all sizes about the lingering threat from cybercriminals and Advanced Persistent Threat (APT), cyber experts have claimed an alarming rise in phishing attempts and other social engineering tactics solely focused at attacking remote working companies and their employees.

On April 8, 2020, the department of United States Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA) and United Kingdom’s National Cyber Security Centre (NCSC) issued a joint warning on Malicious Cyber Actors targeting remote working employees through enterprise VPN.

The report sheds light on rising criminal attempts based on phishing and social engineering methods leveraging the COVID-19 pandemic and masking as trusted entities to target gullible employees into disclosing sensitive information.

With most employees working from home, enterprise VPN servers have become a core component of every business. This further stresses on the importance of VPN security by working closely with your IT teams.


What Does the DHS, CISA report say?

The warning explains how Advanced Persistent Threat (APT) and cybercriminals are using COVID-19 related themes used by cyber actors. It also points out to a surge in private VPNs has a threat level related to the same.

The COVID-19 theme exploited by criminals includes the below-mentioned tactics that have been identified by the department;

  • Using COVID-19 related subjects to lure in for phishing attempts,
  • COVID-19 related Malware distribution,
  • Registration of new domain names with COVID-19 or coronavirus related titles,
  • Attacks on newly/ hastily deployed remote access and teleworking infrastructure.


Types of attacks identified

The most common attacks used are mentioned below but cyber attackers evolve just as fast as cybersecurity measures are evolving, hence it is recommended to stay updated and keep a close eye on any new emerging threats or themes used by attackers.

  • Phishing attempts by email,
  • Phishing attempts masking as trusted entities such as company, organization (WHO and CDC),
  • SMS based Phishing,
  • Phishing for credentials,
  • Phishing with malware deployment,
  • The exploitation of new teleworking infrastructure,


Measures to put in place to secure your enterprise VPN account.

Identify vulnerabilities.

Now that most of your employees are working from home, it’s important to identify critical VPN services to your business. This helps in reducing downtime and securing private VPNs against malicious threats. Start by detecting compromised VPNs that can be a target of phishing attempts.

Compromised VPNs can result in loss of VPN credentials that act as an easy access point for cyber attackers. A simple way to do this is by ensuring proper logging and authorization.

With simple authentication and logging, unwanted access and exploitation of VPN data can be avoided.

Enable multi-factor for accounts.

Companies are suggested to look into Multi-factor authentication (MFA) as a solution to protect VPN accounts from unauthorized access.

A 2019 report by Microsoft suggested MFA for online accounts usually blocks out 99.9% Account Takeover Attacks (ATO) even when the attacker has valid credentials to the account.

Update Patches.

CISA, also suggested companies review their current VPN servers, deploy patches, and keep them up to date.

In an updated statement by the DHS/ CISA, the agency states, hackers have also been using access to the Pulse Secure VPN server to extract plaintext Active Directory (AD) credentials. These stolen credentials are helping hackers access VPN servers even after the patches have been added. Source-

Now more than ever, when most of your employees need to log into private corporate systems to do their job, IT teams are deploying a larger number of VPN servers to meet the need and deal with the surge in traffic.

With new VPN servers being deployed, IT teams need to pay close attention to the security and vulnerabilities in the system and provide appropriate patches to avoid any threats.

Educate your employees on DDOS and Phishing attempts.

Many cybersecurity firms believe that given the current scenario many attackers will be launching a DDoS attack on VPNs ultimately crashing their servers or limiting resource availability. With VPN being the primary gateway into your company’s network this could result in downtime and blockading access to remote working employees to log in and do their job.

CISA suggests educating and informing your employees on COVID-19 related attempts that could lead to employees unknowingly letting in a cyber-attacker.

Titles identified for phishing attempts by CISA and NCSC

Some of phishing attempt titles recognized by the department are mentioned below. Keep in mind these are just a few examples to help you understand the theme of these social engineering techniques that are currently being used but doesn’t mean it will be limited to just these titles.

  • 2020 Coronavirus Updates,
  • Coronavirus Updates,
  • 2019-COVID: new confirmed cases in your city, and
  • 2019-COVID: Coronavirus outbreak in your city (Emergency).

Emails with these titles have a call-to-action encouraging users to visit a website used to steal valuable data such as passwords, credit card details and other sensitive information.


Guidelines suggested by CISA for organizations

  • Don’t make meetings public, instead, add a password or waiting room to approve guests.
  • Don’t share a link to a meeting on public platforms and social media.
  • Ensure remote users use updated applications and software.
  • Ensure telework policy address requirements for physical and information security.


Recommended Cybersecurity Best Practices

For data sharing

  • Restrict Data sharing through external cloud applications (OneDrive, etc.) only to company approved applications.
  • Ensure remote connectivity sessions are set to expire after 4-8 hours
  • Devices used to connect remotely (laptops and PCs) will utilize encryption

For remote devices during WFH

  • These devices should not have admin privileges. If they do, then strong passwords must be used
  • Mobile Device Management software will be implemented on all devices
  • A Bring Your Own Device (BYOD) policy must be developed to define proper security for personal devices
  • Remote endpoint security tools that can be centrally reviewed and monitored for company and employee-owned devices will be reviewed and implemented

For Remote network security

  • Wireless security
  • Always change default Wi-Fi Router passwords
  • Enable WPA-2 or higher encryption
  • Ensure your local router firmware is up to date
  • The use of public Wi-Fi should be limited. Always use a VPN when connecting to public Wi-Fi. Never use public Wi-Fi to send sensitive information without a VPN
  • Ensure all personal devices are secure with company-provided or personally owned antivirus and antimalware software
  • Update IOT Device firmware (smart thermostats, surveillance cameras, etc.)
  • Ensure default passwords are changed
  • Update software on all devices within your home network (Corporate laptop, IOT devices such as cameras and smart thermostats, personal laptops/tablets, etc.)
  • Review and follow corporate Bring Your Own Device (BYOD) and other relevant policies and procedures

For Remote Work Employee Awareness

  • Be extremely cautious of email phishing scams
  • Limit social media use. Don’t reveal business itineraries, corporate info, daily routines, etc.


Cybersecurity industry experts recommend asking the below-mentioned questions in order to secure VPN networks;

  • Number of users who can log in at the same time,
  • Corporate policy to accommodate the surge in VPN users,
  • Priority access and authorization in case of limited access,
  • Average bandwidth per user,
  • Are users allowed to use personal computers?
  • If yes, what is the security protocol on such devices? Are they secure? What files will be accessible on such devices?


Notes Sources –