The spread of the coronavirus has brought with it new cyber-risks for organizations to manage. Phil Muncaster finds out more
Few of us have seen anything like this before. At the time of writing, COVID-19, a new coronavirus originating in China, has infected more than 2.4 million people around the world and killed over 165,000. These figures will be far higher by the time you read this, and may still be on the rise as urgent and decisive action is taken by global governments. However, for IT security teams, there’s another threat: cyber-criminals are past masters at using global news events to further their own agendas, and they don’t get much bigger than a virus pandemic.
With businesses rapidly forced to support remote working, a new epidemic is sweeping the globe – this time targeting unsecured home machines, distracted workers and understaffed IT teams. Tackling it will require the usual mix of people, process and technology. Given many industries are already losing money, the last thing they need is to haemorrhage more of it dealing with serious security breaches.
"Tackling it will require the usual mix of people, process and technology."
Tried and Tested
The majority of threats are arriving via email, as is usually the case. Of the 52 billion cyber-threats Trend Micro blocked last year, 91% were launched via email. However, what marks out COVID-19 phishing attacks is the sheer volume being sent in a short space of time. According to Proofpoint, these now represent “the greatest collection of attack types united by a single theme that our team has seen in years, if not ever.”
They’re aimed at exploiting two things: the public’s appetite for more information on the pandemic, and the fact that a huge number of employees are now working from home, where cybersecurity protection may be less than enterprise-grade, and users may be more distracted. Many phishing emails purport to come from trusted organizations such as the US Center for Disease Control (CDC) or the World Health Organization (WHO). They may claim to offer more information on the spread of the outbreak, tips on staying safe, and even info on a potential vaccine, if the user clicks through or opens attachments.
Others are more insidious still. One campaign, spotted by Proofpoint, spoofs disease research project Folding@home. When victims click through to download an official app in a bid to help find a cure for COVID-19, all they do is install a new info-stealer dubbed RedLine Stealer.
Often, the phishers are after corporate log-ins, Mimecast head of data science, Kiri Addison, tells Infosecurity.
“Since the coronavirus situation has progressed, with employees being advised or forced to work from home, Mimecast researchers have observed multiple phishing campaigns attempting to take advantage of the uncertainty around this situation,” she adds. “Typically the threat actors will aim to spoof an employee’s organization in order to add legitimacy to the emails and increase the chances of interaction with malicious links or attachments.”
Raising the Stakes
However, ransomware is another potential end goal, raising the stakes further for enterprise IT security teams – especially those in vulnerable sectors.
“A major threat actor, TA505, the group behind the Locky ransomware, has recently used coronavirus lures to deliver downloaders. We have also separately seen coronavirus-themed emails targeting healthcare organizations that use downloaders and demand Bitcoin payments,” Proofpoint senior director of threat research and detection, Sherrod DeGrippo, tells Infosecurity.
“While downloaders aren’t ransomware, they’re typically seen as a first stage payload before ransomware is later downloaded and installed on the victim machine as either second or later stage payload.”
The vendor has even seen Business Email Compromise (BEC) attempts. Here, scammers are taking advantage of a newly distributed, distracted workforce and the fact finance team members may not be easily able to check with colleagues about the validity of a money transfer request.
Nation state attackers are also leveraging the huge public awareness of the pandemic to improve success rates for their spear-phishing-based cyber-espionage campaigns. FireEye has warned that targets in a wide variety of sectors would continue to be bombarded with phishing lures revolving around medical updates, government announcements, economic repercussions, deaths of high-profile individuals and civil disturbances.
They’re not just using the pandemic in phishing attacks. In one noteworthy incident, the US Health and Human Services Department was hit by a DDoS attack said to be linked to a state-sponsored attempt to spread misinformation about a national quarantine by text, email and social media.
Stretched to the Limit
Raids like the above highlight another risk for organizations: that they will be bombarded with cyber-threats at exactly the time they are at their weakest, with security teams trying to mobilize remote working efforts whilst colleagues are potentially off sick.
Already, reports have emerged of what appears to be a ransomware attack on Brno University Hospital in the Czech Republic, one of the country’s largest COVID-19 testing facilities.
“There is a tremendous amount of confusion, change and anxiety happening at a global level. This is the perfect environment for cyber-criminals to take advantage of others and trick people into doing things they should not do,” SANS Institute director of security awareness, Lance Spitzner, tells Infosecurity. “So are hospitals at greater risk from ransomware? Yes, but so is every other industry, and it’s not just ransomware but almost any social engineering-based attack.”
Bearing out Spitzner’s comments, Otterbein University in Ohio was also struck by ransomware recently, just as it was ramping up provisions to teach its students remotely.
According to Respond Software CEO, Michael Armistead, COVID-19 is putting security teams under tremendous pressure: not only do they have to secure home workers, but many of them are forced to work from home themselves. This is compounded by a chronic skills shortage that sees many organizations under-staffed in the first place, and the risk of more calling in sick with the virus.
“Most organizations are faced with an exploding amount of data that far outstrips their capacity to handle. Why? Most security processes are centered around people – for good reason. People are needed to connect the dots during cybersecurity investigations to figure out what is worth pursuing and what is a dead end and then take action accordingly,” he tells Infosecurity.
“However, it’s well documented that the industry faces a huge shortage in these skilled personnel. The COVID-19 pandemic both amplifies that and makes this challenge acute.”
“There is a tremendous amount of confusion, change and anxiety happening at a global level"
Help is at Hand
Fortunately, there are resources to hand for organizations struggling to push back against this tsunami of cyber-risk. The UK’s National Cyber Security Centre (NCSC) has produced a guide to secure home working, and several security vendors including Trend Micro, SentinelOne, Emsisoft and Coverware are offering free protection for organizations for a limited period.
The dangers posed by many COVID-19 threats are perhaps most acute for those organizations not used to supporting remote workers. A study of 700,000 global employees by Leesman found that over half (52%) have no home working experience, rising to 60% in aviation, aerospace and defense industries. Unsurprisingly, the tech sector was best prepared, with just 37% of respondents in these roles having had no such experience.
The SANS Institute has also been at work, producing a Security Awareness Work-from-Home Deployment Kit to help organizations rapidly transition to new distributed ways of working. It highlights three main risks to remote employees: social engineering, weak passwords and unpatched machines. Organizations need to tackle these through training, technology and processes whilst ensuring workers have an online forum where they can have their questions answered and report incidents in real-time, it suggested.
Proofpoint’s DeGrippo recommends layered defenses at the network edge, email gateway, in the cloud and at the endpoint, alongside continuous user training and tighter access controls, especially for VPNs.
“I strongly suggest that IT security teams provide clear guidance, on a repeat basis, to their workforce on best practices for remote working because we are in a different landscape,” she says.
While COVID-19 will eventually fade away, the experience will at least hopefully prepare CISOs for the next time the landscape shifts in this dramatic fashion.