Even legitimate websites can become traps, and small/home offices need to be prepared

Next story
Roman Cuprik

One’s personal digital life may be a threat to business. Small offices and home offices need proper prevention. 

Heads of small or home offices most likely know how difficult it is to set boundaries between work and their personal lives. One minute you are doing taxes, and the next, you are browsing the internet looking for leisure-time activities for your family.

Having basic cybersecurity knowledge, you also probably know that sometimes you need to be careful out there. Clicking URLs mentioned in unfamiliar emails could bring trouble, and downloading new apps from unknown sources with no background information isn’t a good idea either.

But, what if a legitimate website that you or your employees have been regularly visiting gets compromised? How do you secure your cherished small office when downloading a legitimate application, or when its update suddenly turns out to be malicious?

ESET researchers have recently discovered such a campaign, which abused several legitimate websites to spread spyware which targeting a wide group of users coming from India, Taiwan, Hong Kong, Australia, and the United States. Facing such elaborate attacks, small offices and home offices need to take a prevention-first approach.

Interesting target

While, compared with large enterprises, small offices and home offices do not work with such large amounts of data or money, unfortunately, this can create the false impression that they are not interesting targets for cybercriminals. But the opposite is true.

Considering the massive numbers of small offices and home offices globally, in combination with their limited budgets for cybersecurity, they make appealing targets for threat actors who aim campaigns at indistinct groups of people or businesses, rather than some corporate giant.

Therefore, it is no surprise that 31% of businesses with fewer than 10 employees surveyed in the UK during the winter of 2022 - 2023 experienced a cyberattack or a security breach in the past 12 months.

There are 5.28 million such businesses in the UK, which means that, theoretically, 1.64 million small offices and home offices experienced a cyber incident within a single year.

Multi-staged attacks

ESET researchers discovered a cyberespionage campaign well-suited to paint the picture. Since at least September 2023, cybercriminals have been victimizing Tibetans through a multi-staged attack that combines several techniques in order to install spyware on victims’ devices. Researchers attribute this campaign to the China-aligned Evasive Panda APT group.

Shortly before the 2024 Kagyu Monlam Festival, which is held annually by Tibetan Buddhists in India, cybercriminals abused a website that belongs to the Kagyu International Monlam Trust. Expecting a higher visitor rate ahead of the upcoming festival, the attackers placed a malicious script on the site which showed a fake error page to users. This enticed them to download an “Immediate Fix.” However, the file was in fact a malicious downloader for both Windows and macOS.

The same threat actors also compromised a website belonging to a software development company, based in India, that produces Tibetan language translation software. The attackers placed several trojanized installers there for legitimate software that deployed the same malicious downloaders.

These malicious downloaders were designed to download and install backdoors, which can avoid normal authentication procedures and allow access to a system.

When successful, the downloaders compromised devices with a malware capable of receiving commands to collect information about files and running processes and sending them to attackers.

Small offices dealing with big attacks

For average users, these advanced multi-staged attacks will be most likely difficult to spot. It is not hard to imagine a user clicking on a link that is part of a warning message coming from a trusted website. And there is no possibility for humans to discover that a legitimate software they are about to download was trojanized.  

Considering their limited options in such situations, small offices and home offices need to be smart about their safety.

This means protecting your business as much as possible, and leaving the rest to professional tools that can minimize the threat landscape in a way that average Joes cannot.

Here are preemptive measures that businesses can take:

Educate yourself and your employees – Some attacks are difficult to spot, but it does not mean that awareness training is useless. There are plenty of threats in cyberspace that can be easily avoided if you and your employees stay vigilant.

Use strong passwords or passphrases – Minimum length should be 12 characters, with a wide variety of letters, special characters, lower/upper cases, etc. Hard to remember? Switch to passphrases! They are longer, yet easier to remember.  

Stay on top of software updates – For cybercriminals it is not uncommon to exploit previously known vulnerabilities simply because users do not update their software.

Split your network into segments – For small offices and home offices, network segmentation does not have to be difficult. For example, use a guest Wi-Fi for devices that only need the internet to operate, then use VLANs to split a network into two segments – private and work.

Back up your data – If everything fails and your systems get compromised, it is essential to have an effective backup strategy to run your business without unnecessary delays. 

Professional protection

Adopting the previous measures, you can cover some attack vectors, such as brute-force attacks against passwords or exploitation of known vulnerabilities. But the threat landscape is way bigger.

To cover all small office and home office needs, ESET now delivers its new all-in-one protection, ESET Small Business Security

ESET Small Business Security offers: 

  • Reliable, easy-to-use security, with a minimum system footprint
  • Multi-OS protection, including Windows, Android, MacOS and Windows Server
  • Safe Banking 
  • Safe Browsing
  • Password Manager
  • VPN
  • Ransomware Shield
  • Anti-Theft
  • Botnet Protection
  • Network Inspector
  • Safe Server – Protection of company and customer data stored on a file server running on Windows Server OS, automatically scans all inserted USB flash drives, memory cards, and CDs/DVDs
  • Support for up to 25 devices 

The number of features that one person needs to manage may look scary, but do not worry. ESET Small Business Security runs on ESET HOME, a complete security management platform that turns home admin duties into a walk in the park.

Never let your guard down

When average users browse trusted websites or download software from trusted sources, they often let their guard down, and it’s quite understandable. Heads of small offices or home offices already have enough problems just running their businesses and taking care of their families.

With comprehensive solutions, such as ESET Small Business Security, you can be sure that your business is protected, even when facing similar threats.