Report

Working From Home: A Year in Review

April 2021

Learn more

Cyber Trends, Risks and the Global Pandemic


As we mark a year of working from home through the global pandemic, this is a good time to discuss and delve into the IT changes and trends in our day-to-day work environment and their implications for user privacy, corporate cyber security and cyber insurance. 

The 3 main categories of software and applications that saw a significant increase in usage over the past year include:

  1. Video Conferencing and online communication platforms
  2. VPNs and Remote Desktop (RDP) softwares
  3. Two Factor (2FA) and Multiple Factor Authentication (MFA) applications

Working from home has increased the usage of the aforementioned technologies as well as other similar applications, broadened the attack surface and provided new opportunities for various malicious actors as there are more external-internal connections compared to the past, meaning more types of services to keep track of and monitor. This also implies a heavier traffic load due to video streaming, database connections and more. 

Easier communication, but at what cost?

Away from our colleagues and offices, employees have had to adapt quickly to various methods of online communication and meetings in order to keep things running, whether it’s Zoom, Webex, Microsoft Teams, Google meet or any other platform, co-workers are now able to chat, share video and documents easily from computers and phones. Right from the start of the pandemic, Zoom solidified itself as the dominant platform for video conferencing with an increase of 67% in usage between January and the middle of March 2020. By April 2020 it already had more than 300 million daily Zoom meeting participants in comparison to 10 million meeting participants in December 2019.(1)

Number of Daily Zoom Users, December 2019 - April 2020

This convenience comes with significant underlying risks to users and corporate networks, as poorly implemented encryption protocols and other security measures can result in unauthorized participants access to otherwise personal or confidential calls. This sort of intrusion, commonly referred to as “Zoom Bombing”, can be at best innocent trolling and cause annoyance(2) but at worst allow access to a malicious actor who can gather sensitive information on the company for espionage purposes(3), harvest participants' credentials and other PII and leak the call’s content and video as well as use the meeting chat to send phishing links which could escalate to a full-blown ransomware attack on the company's network(4). This sort of attack can be carried out by an attacker exploiting vulnerabilities such as (or similar to) CVE-2019-13450(5) which would allow them to forcefully join a meeting. 

Multiple Factor Authentication - double the safety but not without risks 

Multiple Factor Authentication (MFA) and Two Factor Authentication (2FA) have been adopted in recent years as an additional security tool to ensure the safety of one’s accounts and personal information. As previously mentioned, the migration to a remote work routine necessitated a secure and verified method for each employee to access their company’s assets online on a daily basis. This basic work necessity came with restrictions and guidelines such as remote desktop applications to create a virtual work environment and 2FA applications in an attempt to strengthen the company’s cybersecurity posture. By May 2020, around 70% of British businesses were already using some type of MFA and a VPN to better manage possible security risks posed by the changed work environment(6).

There are numerous ways by which MFA or 2FA methods can be bypassed, either through brute force (if the requested code is between 4-6 numbers), social engineering or a conventional session management in which attackers use the password reset function. This is due to the fact that 2FA is often not implemented on the system’s login page after a password reset.


VPNs and RDPs - work from anywhere and be attacked from anywhere

Virtual Private Networks (VPN) and Remote Desktop applications became significantly more prominent as the number of people working from home grew during the first few weeks of the pandemic.

RDP and VPN usage grew 41% and 33% respectively during March 2020. In the timespan between January 2020 and the end of March 2020, the number of recorded RDP endpoints has increased from roughly 3 million to almost 4.4 million(7).

While these technologies are vital to the new home-work environment, allowing remote users to securely connect to corporate applications and resources, they too are not immune to malicious cyber attacks and can be compromised via known and unknown vulnerabilities, both on the client and server side.

According to cybersecurity company, Kaspersky, the total number of global RDP brute force attacks during the first 11 months of 2020 was more than triple the number of attacks during the same timeframe a year before.

RDP attacks dynamics, January – November 2019 and 2020 (8)


An attacker that gains access to a company’s network through an RDP or VPN vulnerability usually does so without direct user engagement - no suspicious emails or links need to be clicked - commonly referred to as a “zero-click” attack.

Once inside, attackers exploit unpatched common vulnerabilities and exposures such as CVE-2019-1182(9) which is a ‘wormable’ vulnerability from 2019 used for RDP attacks, meaning that any malware exploiting a server with this vulnerability could propagate from one vulnerable computer to another without user interaction.

Another wormable RDP vulnerability, CVE-2019-07083(10) is used for remote code execution and exploits and delivers malicious ransomware payloads on targeted machines. Attackers in control of a single machine can escalate user privileges, exfiltrate valuable data and then propagate malware to another machine on the network. With a foothold in the network, attackers can quickly propagate malware, and/or ransomware throughout an organization.


Conclusion 

These days, as companies are obliged to allow their employees the flexibility to work remotely, the attack surface becomes broader, there are more varied kinds of external-internal connections (more types of services to keep track of and monitor) with heavier traffic (streaming video, database connections, etc). Therefore, companies can no longer rely on just the security of the perimeter of their network as they don’t have the necessary controls and infrastructure to provide the same level of security to their remote workers.

This is evident in the fact that during pandemic and due to working from home the average cost of a data breach grew by $137,000(11) and 35%(12) of cyber attacks use unprecedented malware or methods. Additionally, the global cyber insurance market has been  projected to grow from $7.8 billion in 2020 to $20.4 billion by 2025(13), with the growth being attributed to the rise in both volume of cyber attacks and their severity. This market growth shows that the new remote work environment and technologies and services required for it can result in an increase of cyber insurance claims. This can also lead to higher accumulated damage than in previous years because the possible vulnerabilities of said technologies could affect more companies more frequently. 



Geniya Brass Gershovich

Cyber Intelligence Analyst