Article
Risky Business: Securing a Remote Workforce Comes with Its Challenges – but Also Solutions
Arete Analysis
In the past year, businesses around the world have had to fundamentally transform how they work and communicate. And not that work from home is new, but it’s certainly never been done at the current scale. To maintain productivity, organizations have had to move quickly to connect a much broader remote workforce — but often without the necessary polices, technology, and training to ensure security.
Some of the more common issues with trying to secure a remote workforce are:
Remote desktop protocol: To connect remote workers to office systems, organizations can turn on remote desktop protocol (RDP), as it easily allows one computer to connect to another for remote use. The problem, however, is that cybercriminals continue to successfully target RDP exposed to the internet. In fact, remote access is the primary method of intrusion Arete sees in ransomware cases!
As a solution, organizations should consider implementing a virtual private network (VPN) with multifactor authentication (MFA), which allows distributed offices to connect securely.
Social engineering: Social engineering is all about deception. Threat actors try to trick victims into giving out confidential information that they can then use to gain access to other systems or data. For example, they may try to lure users into clicking on a link in an email; or they may call employees, claiming to be tech support and asking for passwords. The key is to remain vigilant. Don’t click on links or open attachments from suspicious sources. And always investigate any requests for money, personal information, or anything of value before handing something over.
Weak passwords: Weak passwords have resulted in many a breach. Organizations can address the issue by mandating complex and unique passphrases for all accounts, implementing password manager tools, and most importantly, implementing MFA wherever possible.
Outdated systems: Outdated software has vulnerabilities and might not be able to withstand an up-to-date attack by cybercriminals. Thus, it’s critical to continually update software and systems — all computers, phones, and tablets — with the latest patches and versions.
It’s the little things that are important. It’s the little things that put you at risk.
The Arete Managed Detection and Response (MDR) team recently helped a client address not only the security challenges above, but also a new one: remote workers’ home network security.
This work-from-home client had disconnected his home Wi-Fi router/firewall and plugged his laptop directly into the modem. A firewall establishes a barrier between a trusted network and an untrusted network, such as the internet. It prevents unauthorized access and inspects traffic to identify and block threats. By directly connecting to the modem and thus, the internet, the client exposed his laptop to scanning and attack.
Fortunately, Arete’s MDR analysts immediately saw threat alerts in their SentinelOne Endpoint Detection and Response (EDR) console. They quickly escalated the issue, locked down the laptop, and contacted the client. Next, they placed the laptop back behind the firewall, helping the client avoid a data breach or ransomware event.
Tips for maintaining home network security
If you are working remotely, there are several steps you can take to secure your home network:
Change the default username and password — on both the login to the router administrative controls and on the Wi-Fi network you join.
Turn on wireless network encryption. We recommend using the WPA3 protocol as it’s the most secure.
Most Wi-Fi routers have a built-in firewall. Check to see that the firewall is turned on.
Disable remote administration. Attackers are using this feature to break into home networks.
Keep the router software and firmware up to date. Manufacturers provide updates with important security fixes.
Have trained and experienced security staff investigate all alerts immediately. A fast response can mean the difference between
an hour of remediation and a full-blown ransomware event.Deploy an EDR solution like SentinelOne on all business endpoints — from servers to remote employee laptops.
Next-generation SentinelOne EDR for optimal protection
Ransomware operators often use polymorphic malware, which can easily evade even the most advanced enterprise antivirus solutions.
For this reason, Arete analysts use the next-generation SentinelOne EDR toolset. Designed to identify, kill, and quarantine any malicious executable found in an environment, SentinelOne relies on behavioral analytics — not common signature-based detection — and acts as a force magnifier for our experienced cybersecurity professionals. Its behavioral artificial intelligence (AI) automatically detects and remediates threats based on how they act and by leveraging dynamic threat intelligence gathered by Arete and SentinelOne analysts.
For more information on how the Arete MDR team can assist you with securing your remote workforce, contact us at MDR_Info@areteir.com.
Back to Blog Posts
Article
Arete's 2026 Q1 Crimeware Report
Harness Arete’s unique data and expertise on extortion and ransomware to inform your response to the evolving threat landscape.
Article
CMS Vulnerability Leads to ClickFix Campaign
Threat actors compromised at least 700 education and technology websites in a recent ClickFix campaign by exploiting a critical SQL injection flaw (CVE-2026-26980) in the Ghost content management system (CMS). Adversaries combined the vulnerability with the ClickFix social engineering tactic to steal admin keys and inject a malicious JavaScript that delivers a fake Cloudflare or CAPTCHA verification pop-up, tricking victims into copying and pasting a malicious command into their systems.
What’s Notable and Unique
Rather than targeting the end user first, this campaign is unique in its initial exploitation of the system, followed by social engineering attempts. This hybrid attack style is likely being leveraged to bypass traditional defenses.
This recent campaign also highlights how trusted web properties can be weaponized at scale and coupled with unpatched CMS vulnerabilities. Rather than using the CMS compromise to perpetrate a single attack, threat actors turned it into a supply-chain attack that ultimately affected over 700 trusted websites.
Analyst Comments
As network defenders and their tools enhance threat detection capabilities, adversaries increasingly seek methods to bypass these defenses. By combining vulnerability exploitation, social engineering techniques, and staging for ancillary attacks, this campaign successfully bypassed traditional defenses and inflicted significant impact. Defending against hybrid cyberattacks requires comprehensive security controls beyond simply patching vulnerabilities. Organizations should focus on limiting movement within the environment, detecting abuse of trusted applications, and preventing end-user manipulation.
Sources
700+ education and tech websites hijacked in huge ClickFix malware campaign
Under the engineering hood: Why Malwarebytes chose WordPress as its CMS
Think before you Click(Fix): Analyzing the ClickFix social engineering technique
Ghost CMS Vulnerability Exploited to Infect 700 Sites With ClickFix Malware
Article
Threat Actors Leverage Fake JPEG Files for Initial Access
In a recent campaign, researchers observed threat actors using fake JPEG image files as a delivery mechanism to initiate the deployment of additional malicious components. The false JPEG files are typically distributed via phishing emails or other social engineering-based lures, and are actually PowerShell-based malware that deploys a trojanized version of ConnectWise ScreenConnect to establish and maintain persistence in the compromised environment.
What’s Notable and Unique
This campaign leverages JPEG images as the initial lure, where the images are not merely decoys but part of the infection workflow. Victims are typically led to download or open an image that triggers hidden execution logic or redirects them to a payload-delivery sequence that initiates later stages of the intrusion chain.
The attack chain is designed to blend into legitimate environments, making detection more difficult. Execution typically relies on scripted or native Windows components, often including PowerShell or other living-off-the-land binaries, enabling fileless or near-fileless execution and reducing forensic artifacts on disk.
The multistage design ensures that the initial JPEG does not directly contain the full payload but instead triggers retrieval or decryption steps that progressively assemble the final malicious components in memory.
Analyst Comments
This campaign illustrates how threat actors continue to blur the line between legitimate file handling and malicious execution chains, indicating potential overlap with remote management or administrative tooling. The use of JPEG-based staging combined with script-based execution reflects a broader evolution toward a stealth-first intrusion design, in which file formats serve as triggers rather than payload containers.
Sources
OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION
Podcast
Cyber Risk and Insurance for Law Firms
In this episode of Bytes of Insight, host Vinny Sakore is joined by Laura Zaroski, Managing Director of the Law Firms Group at Gallagher, as they discuss the evolution of cyber risk for law firms. Tune in for firsthand insights on how to select the right cyber policy, the incident response process, and the nuances of ransom payments and sensitive data.