The Increased Liability of Local In-home Propagation

Today I discuss an attack vector conducive to cross-organizational spread, in-home local propagation. Though often overlooked, this vector is especially relevant today, as many corporate employees remain working from home.

In this post, I contrast in-home local propagation with traditional vectors through which a threat (ransomware in particular) spreads throughout an organization. I discuss the reasons this type of spread is problematic for employees and corporations alike. Finally, I offer simple solutions to mitigate the risk of such tactics.

Why Should IT and Security Stakeholders Care?

Today's long cycle attacks are often reconnoitering the victim environment for weeks, if not months. In this time, the attacker gains a tremendous amount of knowledge about systems in the victim's footprint. This additional loiter time in the victim's environment, coupled with ad-hoc maintained work-from-home environments, presents both an ingress avenue for attacks into their network as well as an egress avenue for attack out of your network into your employees' personal devices.

Contrasting Tactics

• Traditional Spread — For some time in 2020, even with a shift to WFH, ransomware continued to propagate through some of the same vectors it had previously. Spread was common through email, malicious websites, server vulnerabilities, private cloud, and file shares. Often this was sufficient to get the attacker to saturate in the victim's environment. However, prior to our WFH lifestyle, when it came to cross-organizational spread, many of these vectors were largely inapplicable. This leads to a natural containment of an infection to a single organization.

• In-home Local Propagation — Recently, attackers have been jumping zones from their initial corporate victims into adjacent systems, including other endpoints in a victim's home. It isn't 100% clear if this is due to a natural extension of the reconnaissance they are doing as a part of their double-extortion ransom endeavors (where a ransom is demanded to decrypt files and a second ransom is demanded not to leak stolen files), or if this is because they are cluing into the fact that additional victims are meters away.

This jump to physically local systems can be made via traditional propagation vectors, such as open file shares, via local (to the home network) exploitation of vulnerabilities, or via the access points (APs) themselves. Home APs / Routers are often:

• Consumer-grade
• Poorly configured (often with standard/default admin passwords)
• Lacking encryption or any security measures between devices
• And, you can forget about detection and response, as no logs from these devices will be making it back to anybody's SIEM, SOC, nor MDR service provider.

This leaves an opportunity for threat actors to spread via in-home local propagation.

There are a couple of distinct advantages for them doing so.

Infection of employees' personal devices:

• While this could mean another party to potentially fork-over the ransom payment (the employee), the real value in spreading to an employee's personal device is leverage to force or influence the corporate payment. Imagine for a moment that the employee in question is the IT Director, and by encouraging their leadership team to pay the ransom to restore business continuity, that they also believe they could get their family photo album, gaming machine, or spouse's work laptop decrypted.

Infection of third-party corporate devices

• As described above previously, the ways to jump to separate corporate environments were either limited or well-defended. But, with employees across different companies cohabitating (spouses, roommates) or sharing internet access (neighbors) - the next potential corporate victim is just a stepping stone away, likely via a poorly-configured AP/Router at that.

Consequences

• In-home local propagation represents a greater liability for companies facing a ransomware attack, as the victims span corporate and organizational boundaries.
• Furthermore, the ability to mitigate risk is limited, as they are unlikely to have direct control over the network infrastructure of employees working from home. In fact, this separation is vehemently defended by employees themselves, citing privacy concerns - another potential liability for you.

Remediative Steps

To mitigate the risk of in-home local propagation of ransomware (or other nasty malware, for that matter), IT and security teams can consider the following steps:

• Encourage a robust configuration of employee-owned networking devices
• Ensure a sound remote software update capability, to keep client endpoint hygiene at a decent level.
• Identify and remediate vulnerabilities across client endpoints
• Engage in detection and response (threat hunting) activities across your endpoints and environment.

I hope this article has called attention to a vector that is especially relevant in the current landscape. For more information about in-home local propagation, check out our webinar titled the Evolution of Ransomware-as-a-Service and Malware Delivery Mechanisms where I discuss this phenomenon with an expert panel of cybersecurity professionals. Or, to hear more about other developments in ransomware, check out our whitepaper on the Rise of Ransomware-as-a-Service, to which I contributed.

Note — This article is contributed and written by Sean Hittel, Distinguished Security Engineer at ActZero.ai. He has over 20 years of experience in new concept threat protection engine design.

ActZero.ai challenges cybersecurity coverage for small to mid-size enterprises MB and mid-market companies. Their Intelligent MDR provides 24/7 monitoring, protection, and response support that goes well beyond other third-party software solutions. Their teams of data scientists leverage cutting-edge technologies like AI and ML to scale resources, identify vulnerabilities and eliminate more threats in less time. They actively partner with customers to drive security engineering, increase internal efficiencies and effectiveness and, ultimately, build a mature cybersecurity posture. Whether shoring up an existing security strategy or serving as the primary line of defense, ActZero enables business growth by empowering customers to cover more ground.