COVID-19 & Cyber Threats Report

As the ongoing COVID-19 (Coronavirus) pandemic spreads around the world, the unprecedented and evolving global situation has created numerous opportunities for threat actors to leverage the worldwide concern and anxiety in their nefarious campaigns.

Cyberint Research is closely monitoring the cyber threats leveraging COVID-19 pandemic. As part of those activities, our team compiled a summary addressing the initial activities we detected.

Highlights

As we all adapt and change the ways in which we work, shop, travel and interact with various services, those changes may stay in effect for months or years – to come – if not forever. These changes bring new cyber challenges.

Dramatic changes in customer demand and behavior are putting organizations under stress: aside from the need to maintain continuity of service and protecting both customers and employees, supporting security business operations will be at the forefront of many executives’ minds to prevent disruptions and avoid financial challenges. Those that are ill-prepared, in the face of demand surges and resource shortages eventually risk disengaging customers with any service failures or shortcomings.

Combined with exponential growth in cloud, web and mobile applications and digital-based collaboration, this global pandemic serves as an unfortunate ideal foundation to create a cybersecurity perfect storm.

With many organizations being faced with the impacts of COVID-19, such as a reduced workforce and the need to support remote working at scale, either voluntary or in response to government movement restrictions, this report seeks to summarize the nature of the attacks observed thus far to allow organizations to be better prepared in protecting themselves and their employees, in addition to families and friends, in the coming weeks and months.

Key Findings

• Cybercriminals and nation-state threat actors are exploiting COVID-19 via thematic lures leading to malicious payloads and links,
• Off-the-shelf attack kits mimicking a COVID-19 case map available for sale on the deep/dark web,
• Ransomware threats continue with a health authority becoming victim,
• Potentially fraudulent sales of hard-to-obtain products exploiting the global situation,
• Fake news and misinformation is used to potentially cause panic and civil unrest in specific regions

Cyberint Recommendations

Raise employees’ pandemic and cybersecurity situational awareness

Given the high potential for both misinformation and nefarious websites seeking to capitalize on this situation, those seeking medical or official advice should always refer to recognized sources such as the World Health Organization (WHO) and/or regional government websites.

Generally speaking, employees should be advised to exercise extreme caution in handling any emails with a COVID-19-related subject, attachment, or hyperlinks, just as to be wary of social media, texts, or unsolicited calls related to this issue. Furthermore, organizations should be suspicious of any domains, especially those that are newly registered and with low reputation, that include keywords related to COVID-19 and Coronavirus as threat actors will often try to capitalize on themes and misspellings of legitimate websites to host threats and exploit misdirected visitors.

Assess and update your cybersecurity policy to address scale of remote workers 

Strong security policies may already exist, but it is important to review them and ensure they are adequate as your organization transitions to having more people working from home than in an office. It is also important to address the increase and challenges of the shadow IT and cloud technology-based solutions and services in use.

Ensure you have full visibility of verified threats; have zero tolerance to non-relevant alerts

With employees potentially using more personal devices as they work from home, may lead to poor cybersecurity hygiene. Employees working from home can result in an organization losing visibility over devices, expanding the amount of potential entry points for threat actors through misconfigurations, outdated or unpatched software and more.

Practice good cybersecurity hygiene, and communications 

Cybersecurity hygiene doesn’t stop when you leave the office, employees should be reminded to adhere to security policies, procedures and practices both in and out of their common workplace. Additionally, employees should be reminded of the need to protect corporate data, particularly as it becomes more difficult for organizations to control who has access to what and where it is being stored. Whilst employees undoubtedly trust their families and housemates, data should still be accessed in an appropriate and secure manner, as well as being secured when unattended.

Furthermore, whilst organizations should ensure that employees can work effectively, the installation of unsanctioned or unapproved software should be discouraged, especially as many may seek to install messaging applications or apps claiming to provide COVID-19 information. Threat actors will capitalize on this situation and undoubtedly target applications of this nature, either to exploitation application vulnerabilities, or to distribute weaponized versions. As is the norm, applications installed on corporate assets should likely be assessed and approved by IT and security teams to ensure that these do not introduce vulnerabilities or expose employees and corporate data to unnecessary risk.

Now more than ever – Act on intelligence to reduce dwell time and impact on your business continuity

In addition to staying informed on public health and safety issues, organizations should keep abreast of cyber threats to ensure that any developments are understood. Whilst the theme may have changed, most threat actors continue to utilize the same tried and tested tactics, techniques and procedures (TTP) in their campaigns. That being said, whilst TTP such as phishing emails and document lures may continue, threat actors will attempt to shift to targeting individuals that may be working remotely rather than attempting to compromise an organization’s infrastructure directly.