Without wanting to make sweeping generalizations, some hackers can be extremely opportunistic and thoughtless in their attacks. The world is their metaphorical oyster, as they turn global events into personal gain, disruption and protest. The rule book on ethics might as well be thrown out of the window – everyone and everything is fair game.
As the COVID-19 pandemic continues to spread worldwide, cyber threat actors are capitalizing on the global health crisis by creating malware or launching attacks with a coronavirus theme. As citizens become vulnerable to both physical and virtual threats, the dark underbelly of the cybercrime industry is exposed for all to see. Yet the exploitative behavior by this ecosystem is only one part of a bigger cybersecurity picture – a picture that will irreparably change shape and form once the coronavirus has been thwarted.
At Orange Cyberdefense, we recently created a downloadable whitepaper pooling our knowledge, insights and experience regarding cybersecurity in the heat of the current COVID-19 crisis, and the cool-down period in the post-COVID-19 world. In this six-part blog series, we break down the intelligence from that whitepaper into digestible chunks. Part one – which you’re reading right now – reflects on the situation as we see it right now, including some of the creative threats that cybercriminals have crafted to try and capitalize on a world in crisis. Let’s delve deeper.
As of March 25th 2020, around 20% of the global population was under coronavirus lockdown. This bred a desperate desire for accurate news and information on the pandemic, amid a hazy mist of fear, urgency and uncertainty for citizens around the world. Conversely, cybercriminals have been presented with the perfect lure for all manner of attacks, including phishing, business email compromise (BEC), watering holes, and much more. Like a Russian doll, we see a cybersecurity crisis emerge from a global health pandemic; a cyber crisis that reveals many complex layers and nuances each time we peel one of them back.
Our CERT team did a little bit of digging into the proliferation of COVID-19 related attacks as the pandemic worsened. In the week prior to the 26th March, 8900 new DNS domains related to the terms ‘corona-virus’, ‘covid-19’ and ‘ncov’ were registered – more than double when compared to the previous week. During that same week, our customers also reported more than 600 potentially fraudulent emails, 10% of which proved to be malicious. The number of emails validated as malicious was four times higher than the previous week.
It was clear from our research that, as the global health crisis worsened, and news outlets reported on country-by-country progress, hackers were tapping into the need for clarity and resolve amongst citizens. And so, their methods of deception became ever more creative, disguising their communications as official sources and authorities to get citizens to bite. Here are a few examples.
The “Live Coronavirus Data Map” from the John Hopkins Center for Systems Science and Engineering (CSSE) was used as a lure to spread malware via watering hole attacks. What’s more, links have been sent to some Android phones (typically via SMS or watering hole websites), promising an app tracking coronavirus. However, once the application is downloaded, people suspected to be operating from Libya can watch through the smartphone camera, have access to text messages or listen through the microphone. The malware identified would be a customized version of SpyMax, commercial spyware that can be acquired very easily online for free.
As to be expected with an influx of employees globally working from home, hackers have started targeting home IT systems, and specifically vulnerable home routers. ZDNet recently reported that, as of March 26, hackers had been breaking into people’s routers and changing DNS settings in order to point unsuspecting device users to coronavirus-related sites pushing malware.
Media outlets have also been awash with concerns around the privacy policies of video conferencing platforms like Zoom, which appears to be the preferred method of choice for employees and individuals to stay connected throughout the coronavirus crisis. Some of these concerns are valid – Zoombombing has become the latest MO for trolls permutating through possible Zoom IDs until they find one that’s active and then joining a call uninvited.
Hackers are also aiming their sights at medical facilities, as reported by Bloomberg in March. The U.S. Health and Human Services Department suffered a cyber-attack on its computer system, aimed at undermining the response to the coronavirus pandemic. Similarly, computer systems at the University Hospital Brno in the Czech Republic – a facility hosting one of the 18 labs used for testing the new virus – were shut down because of a cyber-attack. Many of these attacks are an attempt to disrupt or undermine the global efforts to treat or research COVID-19.
It’s not all doom and gloom from the hacker community, though. Many of the major ransomware distribution groups have allegedly called a ceasefire on their hacking efforts, particularly with respect to medical facilities. These groups have claimed that they never target such facilities nor will not target them whilst the pandemic is ongoing. Some are even offering decryption or data recovery at a discounted rate if such an organization is accidentally targeted. While a welcome reprieve, the coronavirus-cybersecurity battle is far from over.
In part two of our six-part blog series, we’ll explore how the attacks we’ve seen crop up during the COVID-19 pandemic have shifted the cybersecurity threat model and what this means in the immediate term for businesses.
If you haven't downloaded a copy of our whitepaper, please do so. We hope you enjoyed reading.Download the related whitepaper by Charl van der Walt