Cyber security company Dragos was breached last month when attackers intercepted the onboarding email sent to a new employee’s personal email address, raising fresh alarms about the expanded attack surface created by remote work.

Within 45 seconds of logging in and pretending to be a new Dragos staff member, the cyber criminals began downloading data from the company’s SharePoint and contract management system, snaring 25 client reports including one that contained a list of associated IP addresses.

The attackers stayed undetected in Dragos’s systems for at least 11 hours, trying unsuccessfully to log into the company’s financial, marketing, and procurement systems.

According to a blog post about the incident, the company’s use of role-based access controls and layered security stopped the compromised new employee account from accessing other systems, escalating privileges, or changing any internal infrastructure.

“After they failed to gain control of a Dragos system and deploy ransomware, [the group] pivoted to attempting to extort Dragos to avoid public disclosure,” the company said.

Once extortion messages arrived, Dragos knew what was up and they disabled the account of the new employee and revoked all active sessions.

Desperate for a payoff, the group sent aggressive WhatsApp messages to employees saying they had “everything” on the company.

Dragos executives chose not to engage with the extortionists who sent increasingly threatening messages that included the names of family members of Dragos executives.

“The data that was lost, and likely to be made public because we chose not to pay the extortion, is regrettable,” Dragos said.

“However, it is our hope that highlighting the methods of the adversary will help others consider additional defences against these approaches so that they do not become a victim to similar efforts.”

The company said it has added “an additional verification step to further harden our onboarding process” to make sure similar breaches don’t happen again.

Remote work expands attack surface

Dragos isn’t the only company to publicly attribute security incidents to remote work policies.

When password manager LastPass got hacked last year – leading to backups of encrypted customer password vaults being accessed by attackers – it was the fault of a remote worker using their PC.

The DevOps engineer used an out-of-date version of Plex Media Server that had a known vulnerability which hackers used to install a keylogger on their account, leading them to compromise the engineer’s corporate LastPass vault and access AWS decryption keys.

Levi Gundert is Chief Security Officer for threat intelligence firm Recorded Future. He told Information Age that remote work is “a real risk” that more organisations need to keep in mind.

“Adversaries are keenly aware that the nature of how we work is really changing,” Gundert said.

“Fundamentally, the attack surface has broadened and a lot of that was accelerated because of COVID where companies were speeding up their digitalisation strategies.

“Instead of taking two years to implement, they took two months – or in some cases two weeks – to roll out major changes for hybrid work.”

The problem is a complex one, Gundert said, as highlighted by the fact that even dedicated security firms can get caught out.

He added it was also important for organisations to manage their third-party risk.

The recent Latitude Financial breach, which saw over 100,000 copies of customer driver licences exposed, was a failure to adequately manage the risk of third-party providers that held the sensitive information.

“When you think about how we work, and how most of our workflow is very SaaS [software-as-a-service] driven, think about how many different companies are embedded into employees’ web browsers,” Gundert said.

“That’s very challenging to manage and I think that’s universal.”