An organization that has either fully remote or hybrid workers constantly faces the threat of security violations. One can assume that it’s in a slightly more precarious position if employees are using devices that are not even registered by the company and thus lack proper protection.
A successful phishing campaign might leak user credentials to malicious actors and give them illicit access to high-privileged accounts. A laptop running out-dated software might enable a backdoor attack on the organization’s central IT system, exposing its critical business data.
Basically, cyber-criminals are always looking for weaknesses they can exploit and remote working has opened up new endpoints for them to target. For a business, endpoints are all the computers, IoT devices, servers, smartphones, tablets and similar hardware which connect to its IT network. Endpoint security covers the security measures taken to protect these systems from breaches.
So how can proper endpoint security help businesses protect their remote workers and their own interests from hackers?
First, let’s dive into three endpoint-related cybercrime cases to highlight ways that endpoint devices can be compromised.
Zero Day Exploits
A software vulnerability that hasn’t been patched because it hasn’t been discovered by the vendor or developer in question is called a zero-day. An attack that targets such a vulnerability is called a zero-day exploit. Since the vulnerability is not known to the software vendor or creator at the outset, it’s very difficult to predict such exploits.
Cyber criminals generally attempt zero-day attacks for the purpose of gaining high level system access and stealing valuable information, manipulating data, disrupting company operations, pilfering money and so on.
Mitigating such attacks mostly require manual intervention from security teams for quick deployment of security patches. Vulnerability scanning systems are available to combat these threats, but they’re not yet sophisticated enough to thwart them entirely.
State-Sponsored Hackers Targeted Vulnerability In Chrome
Back in February 2022, Google’s Threat Analysis Group discovered that a zero-day remote code execution vulnerability in the Chrome browser, CVE-2022-0609, was being exploited by two groups of North Korean government-sponsored hackers.
Described as “Use after free in Animation”, the exploit kit employed by both groups released a Chrome remote code execution hack capable of escaping the Chrome sandbox and moving into victims’ computer systems.
The attack targeted individuals in the news media, fintech, cryptocurrency and IT industries. The targets were sent fake recruitment-related emails with links that once clicked on, would serve a hidden iframe that would trigger the exploit kit. This leads us to the next point.
“Phishy” Emails Are Still Fooling People
In August 2022, the notorious Lazarus group were reported to have lured select Apple Mac users with bogus job emails carrying malware. It seemed to echo the CVE-2022-0609 exploit in the manner in which it presented itself to victims – a fake recruitment offer from a renowned company.
But most people surely know by now that phishing has been used successfully by hackers for years? Unfortunately, this is a kind of social engineering attack which takes advantage of our biases as well as our tendency to trust the sender of the message, if they’re a reputable or familiar person, company or brand. That’s why they still work.
Hackers “phish” for a victim’s personal information, access to enterprise systems, passwords and so on. The target may also be tricked into transferring money to the fraudster’s account among other things. Although phishing can take place over text messages or phone calls, emails are generally the weapon of choice.
This kind of attack has been given various names based on the technique used and the intended victim – whaling, vishing, smishing, and spear phishing are some of the alternate terms.
GuLoader Malware Transmitted Via Phishing
A fileless shellcode based malware downloader dubbed GuLoader initially spotted in 2019, was found to be spreading through phishing campaigns. It set off a lot of alarm bells because of how versatile it was, and its skill at evading detection and analysis.
Cut to 2023 and GuLoader is still out there, this time targeting eCommerce companies in several nations. After Microsoft blocked macros by default in Internet-downloaded Office files, the hackers behind this phishing campaign started using NSIS executables for malware deployment.
VPNs Are Not Enough
During the first wave of remote work at the start of the pandemic, many companies turned to Virtual Private Networks (VPNs) to form a safe tunnel for communicating with their employees. Of course, enterprises with critical data to protect had been using VPNs even before that, especially so workers hooked up to unsecure WiFi hotspots didn’t inadvertently offer up their devices as points of vulnerability.
Although a VPN service is a great tool for encryption of the data that is transferred from a remote worker’s devices to the company’s system and vice versa, it’s not enough. A security strategy that covers endpoint devices with layered, protective technology is a far safer bet than simply depending on VPNs.
EyeSpy Delivered Via Tainted VPN Installers
Ever since Iran banned VPNs that do not fall in the government-approved list of VPNs, a new malware that repurposed a legitimate surveillance tool called EyeSpy came to light. While the original software was officially sold to businesses wishing to monitor their remote workers’ activities, threat actors reengineered it to infect compromised VPN installers.
The malware was found to be capable of logging keystrokes, taking screenshots, and collecting passwords stored on browsers. It poses a security and privacy threat to victims, considering the harsh repercussions facing citizens the Iranian government identifies as dissidents.
Improving Endpoint Security: An Overview
The emergent remote working culture is not the only added threat to endpoint security. Bring Your Own Device (BYOD), a policy that allows employees to work from their personal laptops or phones even while they are on company premises, can create security gaps too.
Then there’s the issue of shadow IT. It refers to the use of unregistered IT systems, software or devices within a company by employees or departments, without the knowledge of the centralized IT department. This can add to the problem of compliance errors and security vulnerabilities.
To improve endpoint security, start with device posture checks. This means setting up a system (or using a readymade solution) to ensure that only “trusted” devices can connect to your company’s network. It is done by examining the security-related data of the device or gadget in question – firewall and antivirus status, operating system version, disk encryption tech and so on.
Device posture checking is carried out once per connection or on a continuous basis. Laptops, smartphones, servers, IoT gadgets and similar hardware which do not meet the pre-established security rules set by the admin are not given access to the network, thus lowering the chances of data leaks and cyber-attacks that could occur via endpoint devices.
Encourage employees to report all the devices, apps and software they use for work purposes even if you have a suitable device posture checking system in place. Consider working Machine Learning (ML) into your security strategy for endpoints. When deployed correctly, it can help predict and prevent cyber threats in a more dynamic manner as compared to traditional technology.
A robust endpoint security program should be able to provide combined supporting functionalities including, but not limited to, remote access VPN, spam filters, advanced threat prevention, endpoint detection and response (EDR), data security, and protection of the network.
Last, but not the least, conduct employee training sessions to raise awareness about cyber security threats such as malware, phishing, spyware, unsecured WiFi networks and so on. They should also be updated on the security protocols they’re required to follow while connected to the company’s IT system.
Wrapping up
With more and more phishing campaigns, ransomware cases, and data breaches making the headlines these days, it’s evident that cybercrime rates are only climbing.
It’s getting increasingly difficult for companies to keep their own data as well as that of their vendors, partners, employees and customers safe. We also happen to be at a point where more information than ever before is being gathered by businesses everywhere.
Most companies are expected to face a data breach at some point or the other. Businesses can attempt to reduce the incidences of security violations and social engineering attacks with layered protection, regardless of the means used by employees to connect to the enterprise system.
For companies of all kinds and sizes, adequate endpoint security is the key to ensuring that their data is kept as safe as possible from spies and cyber criminals.
