Security News > 2020 > April > Spike in Company Compromises Correlates With Lockdowns
At the end of March 2020, researchers detected a spike in the number of firms potentially compromised each week.
"Analysts looking for an increase in the number of compromised IPs or an increase in the number of observed compromises per IP will not see a marked increase," commented Lari Huttunen, senior analyst with Arctic Security.
The researchers believe that these devices were already compromised, but that any malicious activity - such as receiving commands from a C&C - were constrained by the company firewall and other security controls.
Once the device was removed from the office and taken home, outside of the company security perimeter, that constraint was removed, and the compromising malware could receive new instructions from the criminals' C&Cs. Rather than residing inside the company's security perimeter, the device was located outside but connected to the company network by a VPN. "It appears," say the researchers, "As though these computers were already infected before COVID-19, and it seems that malicious connections normally blocked by on-premises security solutions do not work as well, when people are using a VPN to connect into their employers' networks."
The company device, already compromised but constrained while inside the network, is suddenly freed from the internal controls while communicating from outside via a trusted VPN. This suggests that the sudden increase in working from home with VPNs has turned passive network compromises into active network compromises.