It should come as no surprise that since the emergence of COVID-19 last year there has been a month on month increase in the level of malicious activities relating to the pandemic, with cybercriminals using it as a new hook to bait their unsuspecting victims. In actual fact, the overall level of cybercrime in general has not increased dramatically, but many threat actors have jumped at the opportunity to switch from existing lures to those relating to COVID-19.
The main threat actors at large have been criminal gangs looking to monetise the situation, drawn in by the fact that Governments across the world have made billions available in funding for both organisations and individuals. The other threat actors of note who have increased their online activities have been state or nation sponsored attackers – looking for COVID-19 related information around research, cures and vaccines.
Although COVID-19 phishing and ransomware lures have been the weapons of choice during this period, there has also been an increase in network scans for vulnerable remote access technologies. This is due to the fact that many organisations have had to quickly adapt to employees working from home on mass, which has completely changed the threat landscape – more devices are being exposed outside of the corporate security perimeter and reliant on host-based defences.
Many organisations have also rapidly deployed or enabled remote access to their networks in very short time spans. This has resulted in an increased threat surface area, with insecure configurations and outdated services being exposed to the public internet – which attackers are now taking advantage of. It was only at the end of last year that the UK and USA authorities issued warnings about vulnerabilities in enterprise VPN solutions – and these vulnerabilities have not yet been patched.
Security researchers have not been surprised by threat actors taking advantage of the current pandemic, but many have been shocked by the speed and volume of the COVID-19 attacks, along with the ruthless nature of some of the cybercriminals who have decided to go after and attack the medical and healthcare sectors.
In this article I’m going to explore the trends we’ve seen in cybercrime and the security challenges we’ve all faced during the unprecedent times of COVID-19, and how you can safeguard your organisation from these cybercriminals and the new threats they present.
From the 9th March to the 26th April, Palo Alto Networks’ Unit 42 found that more than 86,600 of the 1.2 million newly registered domain names contained keywords relating to COVID-19, and were classified as either “risky” or “malicious.” The United States had the highest number of malicious domain names (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456). On average, 1,767 high-risk or malicious COVID-19 related domain names are created every day
In mid-April, it was reported that UK domain registry, Nominet, had blocked or stopped the registration of more than 1,000 problematic domain names in the previous few weeks. Normally, Nominet looks out for scammers targeting banks, or HM Revenue & Customs, but according to CEO Russell Haworth, a major shift has taken place in overall phishing activity as cyber criminals retool their arsenal to take advantage of the pandemic.
In Bolster’s Q1 2020 State of Phishing and Online Fraud Report the organisation identified exponential growth in phishing and website scams. It detected 854,441 phishing and fake webpages, along with approximately 4 million suspicious webpages – with COVID-19 themed lures accounting for roughly 30% these. This is over a quarter of a million confirmed malicious websites that are related to COVID-19.
Bolster also found that the number of daily phishing campaigns shot up, with over 3,142 phishing and fake webpages going live every day in January. This increased to 8,342 by March, and over 25,000 suspicious pages were created on the 19th March – a new record for Q1. Software as a Service and Telecoms were the industries that were the most badly hit by phishing scams, followed by Finance, Retail, and Streaming.
COVID-19 phishing attacks targeted organisations with spear-phishing emails designed to look as if they were coming from the recipient’s corporate IT team or payroll department. Some cybercriminals used a CAPTCHA to appear more legitimate and prevent detection by security crawlers. On the consumer side, we saw malicious emails requesting personal information from individuals – claiming that it was needed to help them access their government funded money. There were also malicious emails seeking donations for fake COVID-19-based causes.
It was also reported that The UK’s National Cyber Security Centre (NCSC) took out more than 2,000 online COVID-19 related scams in April. This included 471 fake online shops that were selling fraudulent virus-related items, as well as almost 900 advance-fee fraud schemes (where a large sum of money is promised in return for a one-off payment).
Over the past few years there has been a shift in the kind of ransomware attack cybercriminals tend to operate. They are moving away from attacks such as Wannacry, which are untargeted and widely distributed, to more refined, human-driven attacks. These attacks, such as the Norsk Hydro ransomware attack, target one organisation with the aim to infiltrate it, conduct reconnaissance in order to identity the weak spots and then launch the ransomware. The 2019 December Emisoft State of Ransomware Report revealed that over the past year ransomware attacks had developed even further, with attackers now exfiltrating an organisation’s data to use as part of the extortion and further pressure their victims into paying up.
Help Net Security revealed that nearly 96% of respondents in a recent survey said that their companies had become increasingly concerned about being hit with a ransomware attack during the COVID-19 pandemic. This marks an increase compared to “The State of Enterprise Data Resiliency and Disaster Recovery 2019” study by Datrium, which found nearly 90% of companies considered ransomware a critical threat to their business.
Many of the issues surrounding the video conferencing platform, Zoom, can be put down to poor practices in the development lifecycle of the product, where it is evident security and privacy were not considered at the top of the agenda. Not following secure software development practices and skipping important parts of the process, such as secure code reviewing and pen testing, will lead to higher potential risks and vulnerabilities that can be exploited by threat actors.
The silver lining of the Zoom scandal is that it has made many organisations realise that they need to bake privacy and security in right from the start of a project and consider it thoroughly throughout its lifecycle. This also applies to the COVID-19 contact tracing apps that are currently being developed, where there have already been privacy concerns of how the data will be collected and processed. It was recently reported that the Dutch development programme for a contact tracing app suffered a privacy breach when an unrelated database was included in the developer’s code.
Safeguard your organisation
Patching systems and software
Many successful attacks from threat actors have made use of the vulnerabilities in applications, operating systems and appliances (such as software), which have had new patches released but the victims have not updated their systems quickly enough. It is crucial to ensure that you patch your organisation’s systems as soon as the new patch has been announced. In April, SaltStack announced a new patch to repair a vulnerability it had discovered, which led to organisations being breached within days of the announcement as attackers moved in to see if they could exploit slow moving organisations.
Conducting a vulnerability scan of internal and external infrastructures is an effective tool for monitoring your systems and discovering which ones need updating and patching. This may need to be done daily, weekly or monthly depending on the sensitivity of the data you hold as well as the complexity and size of your organisation.
Having a pen testing programme which replicates both external and internal threat actors is an effective way to move beyond just looking for vulnerabilities and enables you to actually understand how they could be successfully exploited to gain access to your organisation’s assets.
It is also worth enlisting the help of an ethical hacker and discovering what they can harvest from your organisation, in order to identify what information threat actors could get hold of and use against you in a real attack.
Privacy by Design
It is important that your organisation’s projects, whether infrastructure, software or process related, consider security and privacy right from the very start. Conducting threat and risk assessments will identify the appropriate controls which will then need to be implemented and documented. You will need to ensure these necessary safeguards are considered as part of the project definition and specification, and that they are built in and tested as part of the acceptance and sign off of the project.
Employees are often your first line of defence and are also the most targeted part of an organisation – social engineering attacks are the most successful attack vector for all threat actors.
It is important that all employees are trained on how to recognise and handle the various threats they could face, and you should ensure your training programme is regularly refreshed as the risks change or progress and the threat landscape evolves.
The mass movement of office-based to home working is a key example of where organisations will have needed to update their training programmes and retrained all their staff. The cyber threats an employee faces at home can be completely unlike those they deal with in the office, and how an employee identifies and handles a security incident can be different when working remotely, or outside of the organisation’s normal security perimeter. A regularly updated education programme with online learning, regular bulletins and email reminders will help to keep the security and privacy controls in the mind your employees.
By Geraint Williams, CISO of IT Governance
Geraint has over 20 years’ experience in the information security industry, which includes vulnerability testing, digital forensics, ethical hacking, secure networking, and wireless security issues. He started his career at the University of Bedfordshire, where he managed the department of Computer Science & Technology for over 11 years, before moving to Ultima Risk Management as a PCI lead. He joined GRCI as CISO in 2018, and has a number of certifications in security and digital forensics including CISSP, CREST Registered Tester, CEH & CHFI.