Cloud Threats Memo: Illustrating Big Risks in the Shift to Remote Working

The exploitation of traditional remote access technologies is reaching new records. That, in a nutshell, is the main finding of Nuspire’s Threat Landscape Report Q1 2021. The report, sourced from 90 billion traffic logs during Q1 2021, looks at a range of events such as malware activity, botnet activity, exploitation activity, and remote access. The remote access section probably best illustrates the risks posed by the sudden shift to remote working.

Over the course of 2020 (and 2021), we have seen a perfect storm hitting traditional remote access technologies as they struggled to scale to demand at the same time that they suffered an unprecedented series of severe vulnerabilities. Nuspire’s report paints an interesting picture, and two numbers contained within it speak volumes: In Q1, activity against CVE-2018-13379, a critical vulnerability targeting Fortinet’s FortiGuard SSL VPN web portal increased at a 1,916.98% rate from the beginning of the quarter. Similarly, activity against Pulse Connect Secure VPN CVE-2019-11510 peaked early in Q1 at a 1,527.87% rate from the beginning of the same quarter.

As the report author says, “These vulnerabilities allow a threat actor to gain access to a network. Once they are in, they can exfiltrate information and deploy ransomware [and much more]”. Additionally, these vulnerabilities are fueling the initial access brokerage market, which makes the execution of an attack easier, since the attackers can easily buy valid credentials, access a network, and focus on the execution phase.

Unfortunately exposed misconfigured services play an important role in a complicated threat landscape. The same report mentions a significant number of attempts to perform SMB Login brute force attacks (achieving a 14M peak), representing 69.73% of all exploit attempts during Q1. SMB brute force is a frequently used tactic because it is easy and automated. Attackers assume an organization has poor password management practices and is not using multi-factor authentication.

Providing a Zero Trust alternative to remote access technologies and exposed services.

Netskope Private Access allows you to publish resources in a simple and secure manner providing a Zero Trust alternative to legacy remote access technologies and preventing the direct exposure of services like SMB, RDP, or SSH. It is possible to publish and segment virtually any application located in a local data center, as well as in a private or public cloud, without opening any inbound service that can be probed by threat actors. There is also no need for any on-prem hardware device to install, patch, and maintain, which avoids scalability issues and performance bottlenecks. Finally, a check on the security posture of the endpoint is enforced before accessing the target application. A smarter and more secure way to provide remote connectivity in the “new normal.”

Stay Safe!