Organizations are sending employees and students home to work and learn — but implementing the plan opens the door to more attacks, IT headaches and brand-new security challenges.

As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one.

As organizations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors.

“Working from home or online education programs are not new. However, a large, immediate migration of people from enterprise and university networks that are closely monitored and secured, to largely unmonitored and often unsecure home Wi-Fi networks, creates a very large target of opportunity for cybercriminals,” Chris Hazelton, director of security solutions at Lookout, told Threatpost. “These users are outside the reach of perimeter-based security tools, and will likely have higher exposure to phishing and network attacks.”

Attacks Ramp Up

Researchers say that the first rash of efforts aimed at remote students and workers is likely to play on their fears and concerns about what sent them home to begin with – the coronavirus itself.

The concern is more than theoretical. Already, attackers have been leveraging  coronavirus-themed cyberattacks as panic around the global pandemic continues – including various malware attacks involving Emotet and other threats. An APT for instance was recently spotted spreading a custom and unique remote-access trojan (RAT) that takes screenshots, downloads files and more, in a COVID-19-themed campaign. And, the World Health Organization (WHO) has issued warnings about scammers pretending to be the organization. That activity is expected to expand along with the expanded attack surface, researchers said.

“In general, attackers are looking for a vulnerability to deliver their attack,” Chris Rothe, chief product officer and co-founder of Red Canary, told Threatpost. “In this case, people’s fear over the virus is the vulnerability attackers will look to capitalize on. If an individual is concerned or stressed about the virus they are less likely to remember their security training and will be more likely to, for example, click a link in a phishing email or give their credentials to a malicious web site.”

This forgetfulness when it comes to security can be especially true for those who are not used to working or learning at home: “People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing,” Colin Bastable, CEO of security awareness training company Lucy Security, said in an email interview. “This increases the risks that they can introduce to their employers and colleagues, by clicking on malware links. So now is a great time to warn people to be ultra-cautious, hover over links and take your time.”

Organizations may be distracted as well, leading to increased risk. For instance, Otterbein University in Columbus, Ohio, was hit with a ransomware attack in the past week, just as it was making preparations to switch to online classes. The situation forced the school to extend its spring break for another week as it dealt with the problem, since it was rendered incapable of delivering online education as planned.

University officials told the local ABC station that it’s unclear what the attack’s infection vector was; and that they’re not sure when things will return to normal – both potential indicators of cybersecurity unpreparedness and IT resources stretched thin.

Top Challenges in Remote Working

A lack of IT resources can bite many organizations as they move to enable remote strategies. When workers and students are sent outside the normal perimeter, managing device sprawl, and patching and securing hundreds of thousands of endpoints, becomes a much a bigger challenge.

“As a security team you lose control of the environment in which the user is working,” Red Canary’s Rothe said. “Have they secured their home Wi-Fi? If they’re using a personal computer, what mechanisms do you have to ensure that device isn’t compromised? Essentially, your network perimeter now includes all of your employees’ homes. Some security programs are ready for this, some aren’t.”

In terms of those that aren’t ready, it’s important to remember that there’s a wide swath of companies that don’t normally enable telecommuting, warned Sumir Karayi, CEO and founder of 1E.

“Government, legal, insurance, banking and healthcare are all great examples of industries that are not prepared for this massive influx of remote workers,” Karayi told Threatpost. “Many companies and organizations in these industries are working on legacy systems and are using software that is not patched. Not only does this mean remote work is a security concern, but it makes working a negative, unproductive experience for the employee.”

The challenges are particularly notable for those working in regulated industries, he added, and those that use proprietary or specific software – such as stock traders or airline reservationists.

“Regulated industries pose a significant challenge because they use systems, devices or people not yet approved for remote work,” he said. “Many companies must have secure environments and devices to meet regulations; it is not possible to secure and certify remote work because of security concerns and unauthorized people gaining access. Proprietary or specific software is usually also legacy software. It’s hard to patch and maintain, and rarely able to be accessed remotely.”

Also complicating the picture: Many organizations, including many schools, have proprietary, on-premise software that will require special configurations in order to be made accessible remotely.

“In a world of growing SaaS and cloud adoption this can be very seamless, but if your systems are all on an internal network the challenge is providing users a secure way to access those systems via a VPN or other networking solution,” Rothe noted.

And, adding insult to injury, workers in regulated industries are often stuck with endpoints that have cumbersome security protocols – which ironically can add to the attack surface.

“When they need help from IT, IT often does not have the right tools, so they have to try and take over the machine, which wastes a lot of time and is a security risk,” Karayi noted.

There’s also of course the specter of an increased threat from the mobile sphere. “Students and workers remaining at home, or possibly stranded in a remote locations are going to be heavily dependent on their mobile devices,” Lookout’s Hazelton said. “Mobile attacks are particularly effective because they often trigger immediate responses from recipients – instant communication platforms like SMS, iMessage, WhatsApp, WeChat and others.”

Best Practices for Remote Working and Learning

Fortunately, companies and schools can plan for distance learning and working in order to meet some of these challenges.

“The first step employers should take right now is to conduct a remote-work tabletop exercise with their key executives and line of business leaders,” said Rick Holland, CISO and vice president of strategy at Digital Shadows, speaking to Threatpost. “You need to inventory your business applications and identify the mission-critical ones. For SaaS applications, follow up with your providers and inquire about their business continuity plans. For on-premises applications that require VPN connectivity, test and validate that VPN connectivity for higher utilization than usual.”

Making risk-assessments of remote workers’ computing setups is essential as well, he added. Questions to ask include how they will connect to the company’s systems, and from which devices.

“The staff could connect from company-issued laptops or options like Citrix or Amazon Workspaces that enable staff to work from any device,” Holland said. “It might also be necessary to roll out new VoIP and increase web conferencing services licenses.”

It’s also important to consider the issue of on-premises software, including costs. “You cannot replace legacy on-premises applications overnight, so increasing VPN capacity to accommodate more staff working remotely could be expensive,” Holland said. “One of the unintended consequences of COVID-19 will likely be increased zero trust adoption that further embraces cloud services, eliminates VPNs, and enables employees to work from anywhere.”

And finally, given the social-engineering aspect of most attacks, user education is more important than ever.

A Dutch researcher claimed Google’s very first annual Cloud Platform bug-bounty prize, for a clever container escape exploit.

Google has awarded its inaugural annual top prize for the Google Cloud Platform (GCP), for vulnerabilities found in the Google Cloud Shell. The find — a container escape that leads to host root access and the ability to use privileged containers — has earned $100,000 for Dutch researcher Wouter ter Maat.

The internet giant also announced that it would be expanding the scope of payouts for annual GCP prizes, as part of the Google Vulnerability Reward Program (VRP). It will offer six prizes in total for the top vulnerability reports in GCP products submitted in 2020, for a collective $313,337 in winnings. Prizes will start at $1,000 for sixth place and top out at $133,337 for first.[email protected]@wtm_offensi

Bug-hunters will need to provide a public write-up in order to be eligible; and, interestingly, that write-up cannot be more than 31,337 words. Google also noted in a posting this week that a free tier of GCP is available for those researchers with budget constraints.

Winning Entry

The Google Cloud Shell is a Linux- and browser-based front-end for administrators that provides access to various resources in the Google Cloud Platform. Those can include gcloud, Docker, Kubernetes, Python, vim, Emacs, Theia and others. Users of the Google Cloud Platform can launch a Cloud Shell instance via the Google Cloud Console:

Ter Maat noted that several issues exist in how Cloud Shell interacts with resources, starting with an authentication problem. The end result is the ability to gain root access on the host with the power to reconfigure any containers housed there.

“When the Cloud Shell instance is done starting a terminal window is presented to the user,” ter Maat wrote in his write-up, first published in December. “Noteworthy is the fact that the gcloud client is already authenticated. If an attacker is able to compromise your Cloud Shell, it can access all your GCP resources.”

After launching a Cloud Shell, the researcher was able to connect to resources, determining that he was “trapped inside a Docker container” because there were only a small number of processes running. He was then able to escape the container and access the full host by examining the file system.

“I noticed that there were two Docker UNIX sockets available,” explained ter Maat. “One in ‘/run/docker.sock’, which is the default path for our Docker client running inside the Cloud Shell (Docker inside Docker); the second one in ‘/google/host/var/run/docker.sock.’”

This second socket was revealed to be a host-based Docker socket, as indicated by its pathname.

“Anyone who can communicate with a host-based Docker socket can easily escape the container and gain root access on the host at the same time,” the researcher noted, adding that he wrote a quick script to do just that.

After that, with root access, he was also able to reconfigure Kubernetes to flip all of the containers from unprivileged to privileged by writing a new “cs-6000.yaml” configuration file and setting the old config file to “/dev/null.”

“After running it you will find that all containers inside the pod will automatically reboot. Now all containers run in privileged mode,” said ter Maat.

The cybersecurity implications of gaining malicious control over privileged containers are myriad, according to research firm Trend Micro.

“Running a container with privileged flag allows internal teams to have critical access to the host’s resources — but by abusing a privileged container, cybercriminals can gain access to them as well,” according to an advisory late last year. “For malicious actors who gain access to exposed privileged containers, the possibilities for abuse are seemingly endless. Attackers can identify software running on the host to find and exploit vulnerabilities. They can also exploit container software vulnerabilities or misconfigurations, such as containers with weak credentials or no authentication. Because an attacker has root access, malicious code or coin miners can be executed and effectively hidden.”

Over 16 security flaws, including multiple backdoors and hardcoded SSH server keys, plague the software.

Security researchers are warning that networking hardware vendor Zyxel and its Cloud CNM SecuManager software is chock-full of unpatched vulnerabilities that kick open the doors for hackers to exploit. In all, researchers have identified 16 vulnerabilities, ranging from multiple backdoors and default credentials to insecure memory storage.

The Zyxel CNM SecuManager is a networking management software solution that provides an integrated console to monitor and manage enterprise security gateways, such as the company’s own ZyWALL USG and its VPN series products. When contacted by Threatpost, Zyxel would not say how many users of the product there are, only that the number was “limited.”

However, security researchers Pierre Kim and Alexandre Torres wrote in a report posted Monday that “the attack surface is very large and many different stacks are being used making it very interesting. Furthermore, some daemons are running as root and are reachable from the WAN. Also, there is no firewall by default.” The report outlined the more than a dozen flaws.

On Monday, Taiwan-based Zyxel declined to comment on the research, adding that it was unaware of the report. Because of the sensitive nature of the vulnerability claims, Threatpost declined at the time to publish the researchers’ findings.

On Wednesday, Nathan Yen, AVP of Zyxel Gateway SBU, reached out to Threatpost and said that the company was now aware of issues and was working to quickly to fix them. He did not specifically address any of the 16 vulnerability claims.

Researcher Kim told Threatpost he did not disclose the vulnerabilities to Zyxel because he believed that the vendor intentionally created backdoors into its product that would open Cloud CNM SecuManager software to remote access by Zyxel, post-customer installation.

“The only effective way when dealing with backdoors planted with the vendor is to publish zero-day vulnerabilities using full disclosure,” he said. “By going full disclosure, the vendor will be forced to remove the backdoors.”

Yen did not address those claims by the researchers.

Researchers said that flaws were reported on December 20, and on Monday they publicly disclosed the vulnerabilities online and via security mailing lists.

Researchers Outline Bugs

According to the report, the vulnerable software includes Zyxel CNM SecuManager versions 3.1.0 and 3.1.1 – last updated in November 2018.

Topping the researchers’ list of security concerns is the use of hard-coded Secure Shell (SSH) server keys, used by network administrators for remote login and remote control of hardware assets.

“By default, the appliance uses hardcoded SSH server keys for the main host and for the chroot environments,” they wrote. A chroot is an operation to change a root directory for a running process and its dependent directories on Unix operating systems. “This allows an attacker to [man in the middle] MITM and decrypt the encrypted traffic,” they wrote.

Another vulnerability is tied to predefined passwords for admin accounts. “By default, we can extract the pre-defined admin and the pre-defined users from MySQL,” researchers wrote. MySQL is an open-source relational database management system. Researchers described the effort as “trivial,” making it easy to obtain the extraction of “previous admin/users.”

Also of concern to researchers is what they said was the Zyxel CNM SecuManager’s “insecure management over the cloud.”

“By default, myzxel.pyc used for communication to the ‘Cloud’ uses some hardcoded variables for communication over HTTPS,” they wrote. As they described, “The function get_account_info uses the account_id, the jwt_secret and the jwt_secret_id… The jwt_secret and jwt_secret_id are generated as unique key for each appliance.”

In this context, researchers said an attacker can extract account information using backdoors in the SecuManager’s APIs or by using the “anonymous access to the ZODB interface and decrypting the secret account_id value.”

A ZODB, or Zope Object Database, is an object-oriented database for transparently and persistently storing Python objects, according to a technical description.

“There are likely to be way more zero-day vulnerabilities in the appliance, but we decided not to dig more due to time constraints,” wrote Kim and Torres.

Zyxel Promises Fixes

“While we’re still investigating the listed issues, it’s important to note that the CloudCNM SecuManager is a network management tool customized for specific customer demands and is used by a very limited number of customers,” according to a written response from Yen to Threatpost.

Yen told Threatpost that the CloudCNM SecuManager was co-developed with a third-party vendor. “We’re working with them to solve the issues as our top priority. We’ll reach out to individual customers directly to roll out the solution,” he said.

None of the vulnerabilities Kim and Torres identified could be found on the company’s security advisory page at the time of this report.

Late last month, Zyxel patched a zero-day vulnerability tied to a critical flaw in many of its network attached storage (NAS) devices. The bug, tracked as CVE-2020-9054, allowed a remote, unauthenticated adversary to execute arbitrary code on a vulnerable device. Patches were made available for four out of 14 effected NAS devices. The other 10 NAS devices were no longer supported by Zyxel.

Vulnerabilities Summary

The researchers’ full list of Zyxel CNM SecuManager software vulnerabilities follows:

  1. Hardcoded SSH server keys
  2. Backdoors accounts in MySQL
  3. Hardcoded certificate and backdoor access in Ejabberd
  4. Open ZODB storage without authentication
  5. MyZyxel ‘Cloud’ Hardcoded Secret
  6. Hardcoded Secrets, APIs
  7. Predefined passwords for admin accounts
  8. Insecure management over the ‘Cloud’
  9. xmppCnrSender.py log escape sequence injection
  10. xmppCnrSender.py no authentication and clear-text communication
  11. Incorrect HTTP requests cause out of range access in Zope
  12. XSS on the web interface
  13. Private SSH key
  14. Backdoor APIs
  15. Backdoor management access and RCE
  16. Pre-auth RCE with chrooted access

“At this time, I would advise customers to avoid using this product,” Kim said. “I also have some questions about the ‘Cloud’ functionality provided by Zyxel and the fact that some encryption keys are hardcoded and HTTPS communication are not secure because of the lack of verification of certificates – this allows an attacker to intercept and modify the management traffic to and from the SecuManager product.”