6 minute read 2 Apr. 2020
Man and woman at wall of computer servers

COVID-19: Three cyber threats to brace for now

By Chandra Majumdar

EY Canada Cyber Threat Management Leader

Offering clients the next generation of protection to safeguard what matters most to them.

6 minute read 2 Apr. 2020
Related topics Consulting Cybersecurity Risk

Three key types of cyber threats are leveraging COVID-19 to stir up trouble for unsuspecting organizations. Knowing what to look for is your first line of defense.

Cybercriminals and state-sponsored threat actors are always keen to take advantage of the fear, confusion and political unrest spawned from global events, such as the COVID-19 pandemic.

Businesses and individuals are struggling in the face of uncertainty, and quarantine measures are impacting the effectiveness of incident response and crisis management resources. Since February 2020, we have seen a surge in phishing attacks built around the COVID-19 lure.

Fig 1: Phishing lure example from Proofpoint research report

Fending off threats begins by understanding what they look like and then planning ahead while the situation rapidly evolves. What criminal tactics, techniques and procedures should you be watching for right now?

1.     Misinformation as a weapon of mass confusion

Misinformation means exactly that: information that is either false or inaccurate, and deliberately disseminated with the aim of deceiving audiences. COVID-19 misinformation is spread primarily over social media platforms and is amplified by people resharing it through private messenger platform applications.

At first glance, misinformation may not seem to have a tangible financial impact on an organization’s or individual’s bottom line, but rest assured that the rhetoric misinformation employs is damaging. Fear and confusion can, among other issues, drive equipment and supply shortages, and incite hatred. While governments are working to slow the spread of false messaging, by calling out examples of fraudulent social media posts, individuals and businesses can support those efforts by pitching in to do their part.

How can you curb the flow of misinformation to help dial down the risks?

  • Stick to credible guidance from official health organizations (e.g., Public Health Agency of Canada, National Health Service, Centers for Disease Control and Prevention (CDC), World Health Organization (WHO)) to counter the negative ripple effect of misinformation.
  • Fact-check any social media claims that feel potentially dubious.
  • Watch for unsolicited correspondence that contains alarmist messaging or appears to be impersonating official health and safety institutions.

2. Phishing through social engineering

It is widely believed that cybercriminals across geographies and sectors are using COVID-19 as a phishing lure. But there is also evidence of state-sponsored actors following suit. Such activities are expected to rise in line with the number of new COVID-19 cases as the pandemic continues to lead headlines and social media dialogue.

Newly registered domains related to COVID-19 are rising in direct proportion with the outbreak’s spread, as threat actors create new infrastructure to support malicious campaigns. The number of references to COVID-19 has seen a significant uptick over the last three months, and country-specific phishing lures are using the trusted names of widely known organizations to trick their way into a potential victim’s world.

What can you do to deflect phishing scams and help keep them at bay?

As individuals:

  • Be wary of any email or other communication claiming to originate from the Public Health Agency of Canada, National Health Service, CDC or WHO – even if the address looks legitimate.
  • Watch out for language that creates a sense of urgency and asks you to click attachments or links said to contain additional information.
  • Do not click or open links in emails directly. Instead, type the main URL into your browser or search the brand/company in your preferred search engine.
  • Disable macros in Microsoft Office for any users who don’t absolutely require it.

As an organization’s security team:

  • Ensure anti-virus and other security software on all systems are up to date.
  • Search for existing signs of the indicated indicators of compromise (IOCs) in your environment.
  • Block all URL- and IP-based IOCs at the firewall, intrusion detection and prevention systems, web gateways, routers or other perimeter-based devices
  • Ensure applications and operating systems are kept up to date and most recently available security updates are installed.
  • Increase awareness and education activities around the heightened risk environment.

3. Offering access through the sale of fraudulent goods

Phishing offerings are a big topic in cybercriminal forums right now. In February, analysts at Digital Shadows identified a thread on well-known Russian-language cybercriminal forum Cross Site Scripting (XSS) advertising a new way to deliver malware. The method works via an email attachment disguised as a supposed distribution map of the virus’s outbreak that’s said to contain real-time data from the WHO. The map itself impersonates a legitimate one created by the Johns Hopkins Center for Systems Science and Engineering that’s already appeared across social media platforms. The deal? A “private build” of the product listed at $200, or a version complete with a “Java Codesign certificate” for $700.

Fig 2: COVID-19 phishing scam offering on the Russian language XSS forum

Fig 3: A legitimate coronavirus infection map

We’ve also seen the COVID-19 pandemic weaponized as a way for the Iranian Government to spread spyware on mobile devices. Iran’s Health Ministry sent a message to victims advising them to download a specific application to monitor for potential symptoms of COVID-19. In reality, the application (ac19.apk) was spyware capable of gathering victim location services and monitoring a user’s physical activity to determine where the user is going, and when.

Advanced persistent groups have also joined the fray, like Winnti (APT41) which internet security researchers attribute as having connections with China. For example, they have targeted Kyrgyzstan using backdoors with COVID-19 documents leveraging the ru[.]mst[.]dns-cloud[.]net domain and a malicious RTF file known as rtf royal road (5e31d16d6bf35ea117d6d2c4d42ea879). That is a departure from Winnti’s typical modus operandi — cyberattacks geared to steal software source code or compromise production gaming servers in the video game industry.

These attacks come in all shapes and sizes. Some are targeted broadly, others are narrowly focused. They tie back to both well-known threat actors (like TA505 and TA542, those behind Emotet and Ostap, respectively), as well as unknown sources. All of this speaks to the greater risk corporations and individuals face at a time when many countries and organizations are enforcing remote working.

How can you avoid getting pulled into these types of scams?

  • Familiarize yourself with the range of open-source intelligence we’ve picked up on over the past two months.
  • Keep informed as we update observations regularly.
  • Report what you’re seeing to help others learn from what you’re seeing.

Where do we go from here?

Phishing was pegged as the single most common attack technique by a range of 2019 trend analysis reports. It’s no surprise, then, that we’re seeing a rise in phishing campaigns targeting individuals with COVID-19 lures and threat actors attempting to compromise victims via malicious pandemic content.

Thinking big picture can help you strengthen your defences in this extraordinary situation. Think about where you may be exposed. Reinforce those areas now. And ask yourself: are we talking enough about this internally? If not, now is the time to start.

Reference articles:

Coronavirus-themed attacks target global shipping concerns

Threat actors capitalize on global concern about coronavirus in new phishing campaigns

https://securityaffairs.co/wordpress/99977/apt/apt27-abusing-covid-19.html

https://www.virusbulletin.com/blog/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/

Summary

As cybercriminals and state-sponsored threat actors capitalize on COVID-19, organizations that know which threats to look for can help bolster their defences right now.

About this article

By Chandra Majumdar

EY Canada Cyber Threat Management Leader

Offering clients the next generation of protection to safeguard what matters most to them.

Related topics Consulting Cybersecurity Risk