Cyber Risk & COVID-19 Update 26 March
The global Coronavirus epidemic impacts economies worldwide, creating a new reality in which many employees are working from home, forcing organizations to allow mass remote connections to internal work resources.
Below is information from a number of sources collated, that shares updated insights on how threat actors are maliciously leveraging this situation, and some suggested best practices for all organisations.
CYNET have shared two main trends:
1. Attempts to capture employee remote credential
2. Weaponized emails.
Employee Remote Credentials While the threat data is taken from CYNET’s install in Italy, the events of the last several weeks show us that other countries will soon follow suit in respect to the increasing Coronavirus spread.
The rationale behind the increase in these attacks is simple – mass working over remote connection equals mass remote login activity, mostly over private insecure machines with user accounts that have never done so before, making remote login credentials an easy target for attackers.
The following chart shows the spike in Phishing attacks in Italy over the last month in comparison with other territories:
Weaponized Email Attacks
Working from home typically takes place on personal devices, that in most cases lack protection. The following graph from CYNET shows a spike in weaponized email attacks:
Separately, already we have seen attempted breaches (not yet fully defined as of now) on the US Government’s Department of Health and Human Services potentially seeking healthcare and infection rate information. Though apparently nothing was stolen, it is a good lesson that healthcare PHI or PII remains a high value target for both nation-states and cyber criminals. It is also a prime asset for attackers to try to lock up the data in a ransomware attack.
Aside from the government attack, there have been several other campaigns launched to attempt to steal both corporate and personal information using the virus as a “hook”:
1. Attackers have “adopted” the Johns Hopkins COVID-19 infection rate map and laced it with suspicious malware, waiting for an anxious person looking for information to click on the map.
2. Multiple instances where ransomware attacks were generated by fake statements regarding the spread of coronavirus in other countries. One recent report noted, “One of the most recent coronavirus hoaxes to come to light is an Android app available at coronavirusapp[.]site. It claims to provide access to a map that provides real-time virus-tracking and information, including heat map visuals and statistics. In fact, a researcher from Domain Tools said, the app is laced with ransomware.
3. There has even been one ransomware attack against a Czech Republic hospital treating COVID-19 infected patients.
4. Multiple COVID-19 phishing scams are out there seeking to steal your information. Some of the more severe (and tricky):
a. Sites that are seeking charitable donations for COVID-19 patients
b. Sites that are imitating the World Health Organization, or other ministries of health around the globe offering updates on the virus (these are likely nation-state instigated)
c. Emails allegedly coming from colleges and universities offering students information on how the virus is affecting classes and student housing
Finally, BAE Systems summarizes the APTs that are known to be using COVID-19-themed phishing lures to deliver various strains of malware. The threat actors include the Russia-aligned groups Sandworm and Gamaredon, the China-linked campaigns Operation LagTime and Mustang Panda, and the Pakistan-associated Transparent Tribe. Parties unknown have been impersonating the US Centers for Disease Control, pushing the Remcos RAT.
Some ransomware operators pledge to refrain from targeting healthcare organisations.
This might sounds unbelievable, but BleepingComputer contacted the operators of several prevalent ransomware strains, including Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako, and asked them if they would keep targeting healthcare organizations during the coronavirus pandemic.
Thus far, only DoppelPaymer and Maze have responded. DoppelPaymer's operators stated that they don't intentionally target medical facilities anyway, but they reassured BleepingComputer that they'll continue to avoid these organizations during the pandemic (although they added that the pharmaceutical industry is still in their crosshairs).
The Maze operators stated that they will "also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus." The Register is skeptical about these claims, saying that "a threat analyst from Emsisoft contacted us to note that Maze's operators had announced just a few days ago that it had hit a medical research company in London."
It would be naive to take the gangs' promises of good behaviour at face value, as convincing as some of the avowals may sound. But if there is a wave of (relatively) good behaviour, Forbes probably has the best explanation: the restraint isn't a matter of honour or sympathy, still less of public spirit. It's a matter of self-preservation: the gangs think that during the pandemic law enforcement will pursue and prosecute them ruthlessly if ransomware gets into hospital systems.
TIPS Companies should consider sending a security reminder or bulletin to personnel to remain vigilant against potential cyber-attacks and scams by:
1. Not clicking on links or opening attachments contained in unsolicited emails
2. Using trusted sources, such as hospitals and government websites, to obtain up-to-date, fact-based information about COVID-19
3. Not providing personal or financial information when responding to online solicitations
4. Consider whether or not a managed service provider might help you in this time of dwindling employee resources. If your IT employees get sick, who will be watching the network? An MSP would provide a great back up to any organization’s cybersecurity incident response plan.
Employees, like others, may be susceptible to targeted phishing, fraud and other cybercriminal actions based on their interest or concern about COVID-19. While messaging used to entice individuals to click malicious links may be COVID-19 related, methods to execute these attacks will remain largely the same. Companies may effectively use this attention to COVID-19 for security awareness by alerting employees, contractors or others to these risks.