While organizations can take plenty of steps to ensure employees are well-equipped to work remotely in a secure manner, threat actors of all stripes are already taking advantage of the COVID19/coronavirus situation. Never ones to miss an opportunity, attackers are ramping up operations to spread malware via Covid19-themed emails, apps, websites and social media. Here’s a breakdown of potential threat vectors and techniques threat actors are using to attack organizations.
How attackers exploit the COVID-19 crisis
1. Phishing emails
Email is and will continue to be the largest threat vector for people and organizations. Cybercriminals have long used world events in phishing campaigns to up their hit rate, and coronavirus is no exception.
Digital Shadows reports that dark web markets are advertising COVID19 phishing kits using a poisoned email attachment disguised as a distribution map of the virus’s outbreak for prices ranging from $200 to $700.
Themes in these emails range from analyst reports specific to certain industries and details of official government health advice to sellers offering facemasks or other information around operations and logistics during these times. Payloads included in these emails range from ransomware and keyloggers to remote access trojans and information stealers.
“Our threat research team has observed numerous COVID-19 malicious email campaigns with many using fear to try and convince potential victims to click,” says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “Criminals have sent waves of emails that have ranged from a dozen to over 200,000 at a time, and the number of campaigns is trending upwards. Initially we were seeing about one campaign a day worldwide, we’re now observing three or four a day.”
DeGrippo says around 70% of the emails Proofpoint’s threat team has uncovered deliver malware with most of the rest aiming to steal victims’ credentials through fake landing pages like Gmail or Office 365. Proofpoint says the cumulative volume of coronavirus-related email lures now represents the greatest collection of attack types united by a single theme the company may have ever seen.
The NCSC and the World Health Organization (WHO), among others, have made public warnings about fraudulent emails purporting to be from official bodies. Various phishing emails claiming to be from the Centers for Disease Control and Prevention (CDC) have been circulating.
BAE Systems reports that threat actors sending out COVID-19-themed emails include the Indian Government-targeting Transparent Tribe (also known as APT36), Russia-linked Sandworm/OlympicDestroyer and Gamaredon groups, and the Chinese-affiliated groups Operation Lagtime and Mustang Panda APTS.
2. Malicious apps
Although Apple has placed limits on COVID19-related apps in its App Store and Google has removed some apps from the Play store, malicious apps can still pose a threat to users. DomainTools uncovered a site that urged users to download an Android app that provides tracking and statistical information about COVID-19, including heatmap visuals. However, the app is actually loaded with an Android-targeting ransomware now known as COVIDLock. The ransom note demands $100 in bitcoin in 48 hours and threatens to erase your contacts, pictures and videos, as well as your phone’s memory. An unlock token has reportedly been discovered.
DomainTools reported the domains associated with COVIDLock were previously used for distributing porn-related malware. “The long run history of that campaign, now looking disabled, suggests that this COVID-19 scam is a new venture and experiment for the actor behind this malware,” said Tarik Saleh, senior security engineer and malware researcher at DomainTools, in a blog post.
Proofpoint also discovered a campaign asking users to donate their computing power a la [email protected] but dedicated to COVID-19 research, only to deliver information-stealing malware delivered via BitBucket.
3. Bad domains
New websites are being quickly spun up to disseminate information relating to the pandemic. However, many of them will also be traps for unsuspecting victims. Recorded Future reports that hundreds of COVID-19-related domains have been registered every day for the last few weeks. Checkpoint suggests COVID-19-related domains are 50% more likely to be malicious than other domains registered in the same period.
The NCSC has reported fake sites are impersonating the US Centers for Disease Control (CDC) and creating domain names similar to the CDC’s web address to request “passwords and bitcoin donations to fund a fake vaccine.”
Reason Security and Malwarebytes have both reported on a COVID-19 infection heat map site that is being used to spread malware. The site is loaded with AZORult malware that will steal credentials, payment card numbers, cookies and other sensitive browser-based data and exfiltrate it to a command-and-control server. It also seeks out cryptocurrency wallets, can take unauthorized screenshots and gather device information from infected machines.
4. Insecure endpoints and end users
With large numbers of employees or even the entire businesses working remotely for an extended time, the risks around endpoints and the people that use them increase. Devices that staff use at home could become more vulnerable if employees fail to update their systems regularly.
Working from home for long periods of time may also encourage users to download shadow applications onto devices or flout policies they would normally follow in the office. Less business travel might reduce the chance of employees having security issues at borders, but it only reduces the threat of connecting to insecure WiFi networks or losing devices if they actually stay at home. Those that do go out to work from cafes — and some probably will — might still be susceptible to theft or loss of devices, or man-in-the-middle attacks.
The International Association of Information Technology Asset Managers recommends that all IT assets being taken home be signed out and tracked, that companies provide policy and advice around how assets be used at home (especially if people are used to sharing devices with family), remind users of policies around connecting to public WiFi, and make sure they continue to update their software as needed.
5. Vulnerabilities at vendors and third parties
Every partner, customer and service provider in your ecosystem is likely going through all the same issues as your organization. Liaise with critical parts of your third-party ecosystem to ensure they are taking measures to secure their remote workforce.
6. Targeting healthcare organizations
In the last few days, the Illinois Public Health website was hit with ransomware, while the Department of Health and Human Services (HHS) suffered an attempted DDoS attack. Healthcare organizations of all shapes and sizes are likely to be under more stress than usual, which may make staff more lax around what they click on.
Opportunistic criminals or those wishing to disrupt operations might be more likely to target the sector. CISOs in or supplying the healthcare sector should remind staff to be vigilant around suspicious links and documents, and ensure their operations are resilient against DDoS attacks.
Security priorities for remote working at scale
Liviu Arsene, global cybersecurity researcher at Bitdefender, recommends that organizations take the following steps to ensure secure and stable remote working:
- Bump up the number of simultaneous VPN connections to accommodate all remote employees.
- Set up and support conferencing software that ensures both a stable voice and video connection.
- Ensure all employees have valid credentials that don’t expire within less than 30 days as changing expired Active Directory credentials can be difficult when remote.
- Send out rules and guidelines regarding accepted applications and collaborative platforms so employees are aware of what is sanctioned and supported and what is not.
- Have gradual rollout procedures for deploying updates, as delivering them all at once to VPN-connected employees could create bandwidth congestions and affect inbound and outbound traffic.
- Enable disk encryption for all endpoints to reduce the risk of data loss on compromised devices.
Copyright © 2020 IDG Communications, Inc.