Even during the COVID-19 crisis, where majority of global private and government organisations are braving the fight against this deadly pandemic, an army of hackers is out on their mission and there’s a huge spurt in the number of deadly, malicious cyberattacks on all genre of organisations – from healthcare to government to ecommerce to banking and so on.
Throwing all aspects of ethics out of the window, the cyber criminals have chosen to exploit the fear and anxiety – presented by the crisis – to their advantage. While we hope to overcome COVID-19 someday for sure, it has been proved we will never be able to suppress the creativity of cyber attackers.
Online threats have gone up as much as six-times over the past four weeks as the COVID-19 pandemic provides new playfield for cyber-attacks, according to Cloudflare.
According to a recent report by Lookout Security, the rate at which people fall for phishing attacks on mobile devices has increased by 85% since 2011. Malware and links can be easily masked as legitimate, so it’s crucial for people to be vigilant while working alone. Lookout explains the five links in mobile phishing kill chain beautifully in the following info graph:
Phishing is the number one cybersecurity risk globally, says Lookout and right now phishing is playing havoc for both enterprise and non-enterprise users. Phishing attempts have soared by over 600% since the end of February, including traditional impersonation scams but also business email compromise (BEC) and extortion attacks, says Barracuda Networks.
While the lockdown has put most of the global working population under a lockdown and forced a ‘work from home’ for everyone, newly crafted exploits have emerged there as well. A recent Check Point Software and Dimensional Research’s survey shows 71% of IT and security professionals globally report an increase in security threats and attacks since the Coronavirus outbreak started. Cybercriminals seek to exploit the remote working explosion.
The key findings from the survey of over 400 IT and security professionals globally were as follows:
Coronavirus related attacks ramp up – 71% of security professionals reported an increase in security threats or attacks since the beginning of the Coronavirus outbreak. The leading threat cited was phishing attempts (cited by 55% respondents), followed by malicious websites claiming to offer information or advice about the pandemic (32%), followed by increases in malware (28%) and ransomware (19%)
Challenges of managing remote working increase – 95% of respondents said they are facing added IT security challenges due to the spread of the Coronavirus. The three leading challenges were provision of secure remote access for employees (cited by 56%), the need for remote access scalable solutions (55%) and employees working from home were using shadow IT solutions – untested software, tools and services (47%).
Security concerns over the coming months –61% of respondents were concerned about the security risks of having to make rapid changes to enable remote working, and 55% felt that remote access security needed improving. 49% are concerned about the need to scale-up endpoint security.
The attackers also have to make quick bucks. So, what’s their best bet? Ransomware, it seems.
A new Kaspersky research reveals employees across all genres of industries lack a basic knowledge of the increasingly cyberthreat known as ransomware. 45% of business employee respondents in North America (U.S. and Canada) said they would not know the proper steps to take in response to a ransomware attack at work.
So much so that Interpol, the global law-enforcement agency has issued a ‘purple notice‘ to alert police forces across the globe of an increasing number of ransomware attacks targeting healthcare sector during COVID-19 crisis. “Ransomware groups are currently targeting hospitals and medical organisations in effort to lock the system admins out of the critical IT systems they need to fight the Covid-19 outbreak,” says Interpol.
Its Cybercrime Threat Response team at its Cyber Fusion Centre has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.
India’s CERT-IN also issued a strong advisory on CoronaVirus (COVID-19) based cyberattacks on 23 March. “The threat actors are taking advantage of victims increased craving for information about the COVID-19 due to fear and uncertainty associated with it as the outbreak of disease is progressing worldwide,” it said.
The threat actors are:
- Using legitimate corporate branding in name of COVID-19 to send malware to victims
- Using names of trusted organisations in phishing attacks in order to attain credibility and to lure victims to open attachments
- Use promotional code
- Corona Virus maps
- COVID-19 as discount codes used by different hacking groups to promote their goods (malicious malware or exploit tools) for financial gains sold over dark net
- Trojan being delivered via Android app that lures victims offering Corona Virus safety mask upon installation
- Corona Virus tracker App that take away access of android microphone and camera once installed.
Globally, thousands of corona virus-themed web sites being set up daily, many of them obviously malicious. There was a fake WHO website spotted which had been used in an attempt to steal passwords from multiple agency staff. While ‘DarkHotel’ – a targeted spear-phishing spyware and malware-spreading campaign – is said to be responsible for the cyberattack on WHO, but the same malicious web infrastructure had also been used to target other healthcare and humanitarian organisations during this crisis.
News were published about a COVID-19 vaccine test centre being hit on March 14th and a Paris hospital suffering a hack on March 22nd. Due to the sudden forced remote working situation, most organisations are facing all the cybersecurity issues that the industry has been aware of and continually warned against which is not to access corporate networks from less secure home networks. That has given a great chance to hacker to exploit vulnerabilities. And organisations with sturdy business continuity plans and asset management planning are inviting more breaches, hacks, and data thefts out there in the wild and almost beyond the control.
COVID-19 themed phishing scams started moving upwards since January 2020, taken advantage of the fear arising out of the crisis. The attacks have increased ever since and Industry analysts say worse is yet to hit us.
Another vulnerable area that’s much exploited is the Endpoints. Data suggests that as many as 42% of endpoints remain unprotected at any given point in time. That’s like a wide, open attack surface to the amusement of attackers – perhaps the weakest link in the security chain.
To enable communication and collaboration among workers and business teams, most corporations are today relying upon video/tele-conferencing apps/tools – the virtual meeting tools. As a result, there is a huge spurt in the users of these apps.
Threat Post recently published an article titled: “Beyond Zoom: How Safe Are Slack and Other Collaboration Apps?” “As the corona pandemic continues to worsen, remote-collaboration platforms – now fixtures in many workers’ ‘new normal’ – are facing more scrutiny. Popular app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention,” it reads. According to a HackerOne bug bounty report, a HTTP Request Smuggling bug, in a proof-of-concept, was used to force open-redirects within Slack, leading users to a rogue client outfitted with Slack domain cookies. When victims attached to the malicious client, their session cookies could be harvested and later used to take over accounts. The attack could also be automated, writes the Threat Post report,
Cybersecurity company Check Point found malicious files with names crafted to make them appear as bone fide Zoom and Microsoft Teams applications, but which install the InstallCore program. InstallCore is classified as a potentially unwanted application (PUA) threat, which can be used to install adware and malicious applications.
More than 1700 new domains with the name “zoom” have are said to be registered since the beginning of the year, and a quarter of them in last one week, said Check Point. What’s more amazing is that 4% of these newly registered domains have malicious characteristics.
Another industry that has gone remote/virtual in a big way is education and malicious hackers know that well. The homebound students are attending classes in record numbers via online platforms, e-learning environments and video conferencing, giving a perfect ground for threat actors to exploit.
In a public service announcement recently, America’s FBI’s Internet Crime Complaint Center (IC3) warned that attackers could take advantage of COVID-19 by increasingly targeting virtual environments, including those utilised by school districts. Google’s official classroom.google.com web based educational tool has been targeted by phishers registering deceptive domains like googieclassrom.com.
These are testing times for pharmaceutical and medical devices industry. The need for masks, ventilators, personal protection equipment (PPE), and other medicines are the lifeblood and the only hope for human race challenged by the outbreak. There is rise seen in reporting of counterfeit face masks, an early tactic likely employed by threat actors as the demand for medical supplies goes up. As the need for ventilators has significantly gone up to help support the patients affected by the virus, the pharmaceutical and medical devices industries have a greater chance of being adversely impacted by malicious cyber attackers. Reports suggests that these organizations have already been targeted by the TA505 threat group in spear-phishing campaigns that leveraged COVID-19 themed phishing lures.
In all, while these are not good times for the humanity and we are living with the long rope of hope to survive this crisis, most cybercriminals (barring few) have decided to make a killing from this situation. Industry needs to be more aware than usual to not allow the attackers run riot and have a field-day.