Cybercriminals take advantage of the coronavirus crisis to spread malware, stop operations, sow doubts and make money quickly
While organizations can take a variety of measures to ensure that employees are well equipped to work remotely in a secure manner, actors in these threats, from all walks of life, are already taking advantage of the COVID19 / coronavirus situation. In order not to miss an opportunity, hackers are stepping up operations to spread malware through emails, applications, websites, and social media with the Covid theme-19. Here is an analysis of the possible threat vectors and techniques that hackers are using to attack organizations.
1) Phishing emails
E-mail us and will continue to be the biggest threat vector for people and organizations. The cybercriminals have long used world events in phishing campaigns to increase your hit rate, and the coronavirus is no exception.
Digital Shadows reports that the dark web markets are advertising COVID19 phishing kits using a corrupted email attachment disguised as a distribution map of the virus outbreak for prices ranging from $ 200 to $ 700.
The topics in these emails range from articles by analysts from specific industry sectors and details of official government health guidelines to mask sellers or other information about operations and logistics during that period. The charges included in these emails range from ransomware and keyloggers to remote access Trojans and information thieves.
"Our threat research team observed numerous malicious COVID-19 email campaigns, with many of them using fear to try to convince potential victims to click. The criminals sent waves of emails that ranged from firing to a dozen to over 200,000 at a time, and the number of campaigns is increasing. Initially, we watch one campaign a day around the world, now we watch three or four a day, "says Sherrod DeGrippo, Senior Director of Threat Research and Detection at Proofpoint.
According to DeGrippo, about 70% of emails revealed by Proofpoint's threat team released malware, with the remainder being used in an attempt to steal victims' credentials through fake landing pages, such as Gmail or Office 365. Proofpoint says the cumulative volume of e-mails/lures related to the coronavirus now represents the largest collection of types of attacks linked by a single theme the company has ever seen.
The NCSC and the World Health Organization (WHO), among others, have issued public notices about fraudulent e-mails that pretend to be from official agencies. Several phishing emails claiming to be from the Centers for Disease Control and Prevention (CDC) are circulating.
BAE Systems reports that hackers who send COVID-19 emails include Transparent Tribe (also known as APT36), targeted at the Indian government, the Sandworm / OlympicDestroyer, and Gamaredon groups, linked to Russia, and the group's Chinese affiliates Operation Lagtime and Mustang Panda APTS.
Find the best antivirus to protect from Trojan
2) Malicious apps
Although Apple has placed limits on COVID-19-related apps on its App Store and Google has removed some from the Play Store, malicious apps can still pose a threat to users. DomainTools discovered a website that asked users to download an Android application that is thought to provide statistical and tracking information about COVID-19, including visuals of the heat map. However, the application is actually loaded with Android ransomware, now known as COVIDLock. The ransom note required $ 100 in bitcoin in 48 hours and threatens to erase contacts, photos, and videos, as well as the user's phone memory. An unlock token has been discovered.
DomainTools reported that the domains associated with COVIDLock were previously used to distribute pornography-related malware. "The long-term history of this campaign, now looking deactivated, suggests that this COVID-19 scam is a new venture and hacker experiment behind this malware," said Tarik Saleh, Senior Security Engineer and Malware Researcher at DomainTools, on a blog.
Proofpoint also discovered a campaign asking users to donate their computing power to SETI @ Home but dedicated to research on COVID-19, just to provide information-stealing malware delivered via BitBucket.
3) Invalid domains
New websites are rapidly being created to disseminate information related to the pandemic. However, many of them will also be traps for innocent victims. Recorded Future reports that hundreds of domains related to COVID-19 have been registered every day in the past few weeks. Checkpoint suggests that domains related to COVID-19 are 50% more likely to be malicious than other domains registered in the same period.
The NCSC reported that fake sites are impersonating US Centers for Disease Control (CDC) and creating domain names similar to the CDC's web address to request "passwords and bitcoin donations to fund a fake vaccine".
Reason Security and Malwarebytes reported a COVID-19 infection heatmap website that is being used to spread malware. The site is loaded with AZORult malware, which steals credentials, payment card numbers, cookies, and other sensitive browser-based data, and filters them to a command and control server. It also looks for cryptocurrency wallets, can take unauthorized screenshots, and collect device information from infected machines.
4) Insecure endpoints and end-users
With a large number of employees or even entire companies working remotely for a long period of time, the risks around endpoints and the people who use them increase. The devices that the team uses at home can become more vulnerable if employees do not update their systems regularly.
Working from home for long periods of time can also encourage users to download shadow apps to devices or disregard security policies that they would normally follow in the office. Fewer business trips can reduce the chance of employees having border security problems, but it only reduces the threat of connecting to unsafe Wi-Fi networks or the loss of devices if they really stay at home. Those who go out to work in cafes - and some are likely to do so - can still be susceptible to theft or loss of devices or attacks of the intermediate type.
The International Association of Information Technology Asset Managers recommends that all IT assets being taken home be disconnected and tracked and that companies provide policies and advice on how the assets will be used at home (especially if people are used to sharing devices with the family). It also advises them to remind users about policies around connecting to public Wi-Fi and to see if they continue to update their software as needed.
5) Vulnerabilities in suppliers and third parties
Every partner, customer, and service provider in your ecosystem is probably experiencing the same problems as your organization. Contact critical parts of your third-party ecosystem to ensure that they are taking steps to protect your remote workforce.
Target health organizations
In the past few days, the Illinois Public Health website was hit with ransomware, while the Department of Health and Human Services (HHS) underwent an attempted DDoS attack. Healthcare organizations of all shapes and sizes are likely to be more stressed than usual, which can make staff more careless about what they click on.
Opportunistic criminals or those who wish to interrupt operations may be more likely to reach the sector. Health sector CISOs or those providing health care must remind staff to be vigilant for suspicious links and documents and to ensure that their operations are resistant to DDoS attacks.
6) Security priorities for large-scale remote work
Liviu Arsene, Bitdefender Global Cyber Security Researcher, recommends that organizations take the following steps to ensure secure and stable remote work:
Increase the number of simultaneous VPN connections to accommodate all remote employees;
Configure and support conference software that ensures a stable voice and video connection
Make sure that all employees have valid credentials that do not expire in less than 30 days, as changing expired Active Directory credentials can be difficult when remote.
Submit rules and guidelines on accepted applications and collaborative platforms so that employees are aware of what is sanctioned and supported and what is not.
Have gradual implementation procedures for deploying updates, as delivering them all at once to employees connected to the VPN can create bandwidth congestion and affect incoming and outgoing traffic.
Enable disk encryption for all endpoints to reduce the risk of data loss on compromised devices.
Commentaires