How attackers exploit the Covid-19 crisis

Cybercriminals are taking advantage of the coronavirus crisis to spread malware, disrupt operations, sow doubt and make a quick buck
Image: Gerd Altmann (cc)

18 May 2020

While organisations can take plenty of steps to ensure employees are well-equipped to work remotely in a secure manner, threat actors of all stripes are already taking advantage of the COVID19/coronavirus situation. Never ones to miss an opportunity, attackers are ramping up operations to spread malware via Covid19-themed emails, apps, websites, and social media. Here is a breakdown of potential threat vectors and techniques threat actors are using to attack organisations.

How attackers exploit the COVID-19 crisis

1. Phishing e-mails

Email is and will continue to be the largest threat vector for people and organisations. Cybercriminals have long used world events in phishing campaigns to up their hit rate, and coronavirus is no exception.

Digital Shadows reports that dark web markets are advertising COVID19 phishing kits using a poisoned email attachment disguised as a distribution map of the virus’s outbreak for prices ranging from $200 to $700.




Themes in these e-mails range from analyst reports specific to certain industries and details of official government health advice to sellers offering facemasks or other information around operations and logistics during these times. Payloads included in these emails range from ransomware and keyloggers to remote access trojans and information stealers. A report from VMware Carbon Black observed a 148% rise in ransomware attacks from February to Marsh 2020, with a large increase on financial institutions.

“Our threat research team has observed numerous Covid-19 malicious email campaigns with many using fear to try and convince potential victims to click,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “Criminals have sent waves of emails that have ranged from a dozen to over 200,000 at a time, and the number of campaigns is trending upwards. Initially we were seeing about one campaign a day worldwide, we’re now observing three or four a day.”

DeGrippo said around 70% of the emails Proofpoint’s threat team has uncovered deliver malware with most of the rest aiming to steal victims’ credentials through fake landing pages like Gmail or Office 365. Proofpoint said the cumulative volume of coronavirus-related email lures now represents the greatest collection of attack types united by a single theme the company may have ever seen.

Mimecast’s 100 Days of Coronavirus report found that on average globally, RAR files were the most common form of delivering malware threats within emails during the pandemic, followed by ZIP files, with lesser trends around delivering malware through macros and ISO/image file formats present throughout the crisis. The manufacturing and retail/wholesale verticals were the most targeted on average during this time.

The NCSC and the World Health Organization (WHO), among others, have made public warnings about fraudulent emails purporting to be from official bodies. Various phishing emails claiming to be from the Centres for Disease Control and Prevention (CDC) have been circulating.  

BAE Systems reports that threat actors sending out COVID-19-themed emails include the Indian Government-targeting Transparent Tribe (also known as APT36), Russia-linked Sandworm/OlympicDestroyer and Gamaredon groups, and the Chinese-affiliated groups Operation Lagtime and Mustang Panda APTs.

According to data from Securonix, phishing emails around stimulus packages and government relief for workers quickly overtook the number of lures around cures and cures and vaccinations, which themselves followed the initial surge of COVID-19-themed attacks.

2. Malicious apps

Although Apple has placed limits on Covid19-related apps in its App Store and Google has removed some apps from the Play store, malicious apps can still pose a threat to users. DomainTools uncovered a site that urged users to download an Android app that provides tracking and statistical information about Covid-19, including heatmap visuals. However, the app is actually loaded with an Android-targeting ransomware now known as CovidLock. The ransom note demands $100 in bitcoin in 48 hours and threatens to erase your contacts, pictures and videos, as well as your phone’s memory. An unlock token has reportedly been discovered.

DomainTools reported the domains associated with CovidLock were previously used for distributing porn-related malware. “The long run history of that campaign, now looking disabled, suggests that this Covid-19 scam is a new venture and experiment for the actor behind this malware,” said Tarik Saleh, senior security engineer and malware researcher at DomainTools, in a blog post.

Proofpoint also discovered a campaign asking users to donate their computing power a la SETI@Home but dedicated to COVID-19 research, only to deliver information-stealing malware delivered via BitBucket.

3. Bad domains

New websites are being quickly spun up to disseminate information relating to the pandemic. However, many of them will also be traps for unsuspecting victims. Recorded Future reports that hundreds of COVID-19-related domains have been registered every day for the last few weeks. Checkpoint suggests Covid-19-related domains are 50% more likely to be malicious than other domains registered in the same period. Further research from Palo Alto’s Unit 42 researchers found that of the 1.2 million newly registered domain containing Covid-related keywords between March and April 2020, at least 86,600 domains were classified as risky or malicious.

The NCSC has reported fake sites are impersonating the US Centres for Disease Control (CDC) and creating domain names similar to the CDC’s Web address to request “passwords and bitcoin donations to fund a fake vaccine”.

Reason Security and Malwarebytes have both reported on a COVID-19 infection heat map site that is being used to spread malware. The site is loaded with AZORult malware that will steal credentials, payment card numbers, cookies and other sensitive browser-based data and exfiltrate it to a command-and-control server. It also seeks out cryptocurrency wallets, can take unauthorised screenshots and gather device information from infected machines.

4. Insecure endpoints and end users

With large numbers of employees or even the entire businesses working remotely for an extended time, the risks around endpoints and the people that use them increase. Devices that staff use at home could become more vulnerable if employees fail to update their systems regularly.

Working from home for long periods of time may also encourage users to download shadow applications onto devices or flout policies they would normally follow in the office. Less business travel might reduce the chance of employees having security issues at borders, but it only reduces the threat of connecting to insecure Wi-Fi networks or losing devices if they actually stay at home. Those that do go out to work from cafes – and some probably will – might still be susceptible to theft or loss of devices, or man-in-the-middle attacks.

The International Association of Information Technology Asset Managers recommends that all IT assets being taken home be signed out and tracked, that companies provide policy and advice around how assets be used at home (especially if people are used to sharing devices with family), remind users of policies around connecting to public Wi-Fi, and make sure they continue to update their software as needed.

5. Vulnerabilities at vendors and third parties

Every partner, customer and service provider in your ecosystem is likely going through all the same issues as your organisation. Liaise with critical parts of your third-party ecosystem to ensure they are taking measures to secure their remote workforce.

6. Communications apps and working from home

New ways of working present new opportunities for attackers. The massive uptick in remote working and collaboration tools means their security is now under focus. Zoom’s rapid rise in popularity ultimately lead to the company freezing product development to fix issues around security, and according to Vice interest in zero day exploits relating to Zoom and other collaboration apps is “sky high” with attackers.

Security firm Cyble reportedly was able to purchase over 500,000 Zoom accounts on the dark web for less than a penny each and, in some cases, for free. This opens the risk for credential stuffing attacks and the possibility of attackers joining calls. Poor policy around who can access and enter calls can also lead to unwelcome guests, also known as “zoombombing”. That can lead to sensitive information be leaked; the Financial Times, for example, leaked a story about paycuts at the Independent after gaining access to a call.

Likewise, working from home brings additional threats. According to (ICS)2, 23% of organisations have seen an increase in cybersecurity incidents since transitioning to remote work – with some tracking as many as double the number of incidents. As well as the increased risk of old and insecure personal device accessing your network, the risk of flat mates, partners, or children using corporate devices or seeing/hearing sensitive details goes up if staff don’t have dedicated private workspaces at home. Absolute Software reports that as well as devices being often months behind on their patching schedule, there has been a 46% increase in the number of items of sensitive data on enterprise endpoints compared to pre-COVID-19 levels.

7. Targeting healthcare organisations and COVID hotspots

Despite hacking groups promising not to, healthcare organisations have come under increased attacks. In the early phase of the pandemic the Illinois Public Health website was hit with ransomware, while the Department of Health and Human Services (HHS) suffered an attempted DDoS attack. In the weeks since a number of healthcare organisations and even research institutions searching for vaccines have been hit by criminals looking at make money or state-sponsored actors looking to get a leg up on finding a long-term solution.

Opportunistic criminals or those wishing to disrupt operations might be more likely to target the sector. The UK’s NCSC and US’ CISA have put out an advisory noting how APT groups are targeting healthcare bodies, pharmaceutical companies, academia, medical research organisations, and local government to collect bulk personal information, intellectual property and intelligence that aligns with national priorities.

Healthcare organisations of all shapes and sizes are likely to be under more stress than usual, which may make staff more lax around what they click on. CISOs in or supplying the healthcare sector should remind staff to be vigilant around suspicious links and documents, and ensure their operations are resilient against DDoS attacks.

Likewise, the more acutely affected by the crisis a region is, the more likely it is to be targeted by threat actors. Research from Bitdefender suggests cybercriminals followed infection trends by focusing at first on targeting Europe for much of March before switching attention to the US in April as the number of new cases grew.

8. Exploiting future fallout and recovery

Mimecast predicts that due to a number of events, such as the 2020 Olympics, being cancelled, there is a high likelihood that future cyber campaigns may focus on using the lure of reclaiming expenses to elicit interaction with malicious content.

Likewise, as the economy will likely continue to struggle even after the lockdowns and immediate danger ends. Expect further campaigns from cyberattackers around financial bailouts, government help for industry, or even more personal attacks centred on redundancies or pay cuts in your organisation.

Security priorities for remote working at scale

Liviu Arsene, global cybersecurity researcher at Bitdefender, recommends that organisations take the following steps to ensure secure and stable remote working:

  • Bump up the number of simultaneous VPN connections to accommodate all remote employees.
  • Set up and support conferencing software that ensures both a stable voice and video connection.
  • Ensure all employees have valid credentials that do not expire within less than 30 days as changing expired Active Directory credentials can be difficult when remote.
  • Send out rules and guidelines regarding accepted applications and collaborative platforms so employees are aware of what is sanctioned and supported and what is not.
  • Have gradual rollout procedures for deploying updates, as delivering them all at once to VPN-connected employees could create bandwidth congestions and affect inbound and outbound traffic.
  • Enable disk encryption for all endpoints to reduce the risk of data loss on compromised devices.

IDG News Service

Read More:

Back to Top ↑