COVID-19 Cyber Attacks: Threat Report and Best Practices

Advanced persistent threats (APTs) and COVID-19

The SecurityMetrics Security Operations Center (SOC) is actively monitoring the current rapid, worldwide spread of COVID-19 (coronavirus). We caution all SecurityMetrics customers, merchants, and businesses to remain extra vigilant around cyber threat actors who are exploiting this global crisis to their advantage.

As a SOC/SIEM team, we find advanced persistent threats (APTs) and notify customers of them. And right now, the threat landscape is changing faster than ever. APTs use advanced tools to attempt to gain a foothold in networks around the world. Organizations are seeing some of the highest numbers of phishing emails ever, while detections of malware and ransomware have halved. Watch for phishing emails claiming to be from alleged trusted authorities like the World Health Organization (WHO) or the Centers for Disease Control.

Cyber threat actors like to go where the least amount of effort is required–therefore, they are aggressively targeting the countries that are hardest hit by the COVID-19 crisis (like Italy). However, the COVID-19 pandemic is an ongoing situation and the trend line will continue to change. As a large number of COVID-19 cases are now shifting to the US, criminals are shifting their targets to US-based businesses with their phishing tactics.

See also: Forensic Webinar: What Happened in 2019 & Predictions for 2020

APTs leveraging current crisis

The following situational report highlights certain areas of concern. We encourage all to remain in a heightened state of awareness for the foreseeable future, especially as many businesses are relying on remote work for their employees which increases risk to their environment.

The SOC is monitoring COVID-19 cyber in the U.S. and abroad, in various areas and industries. Here are the APTs using this global crisis to their benefit, along with tips to prevent successful attacks:

1. Cyber threat actors are creating malware infected virus maps and sending coronavirus-themed phishing emails in an attempt to lure employees into clicking on booby-trapped URLs
2. More than 80% of the current threat landscape is made up of coronavirus related themes and lures
3. Social engineering attacks based on the stimulus bill and COVID-19 financial compensation schemes are popping up
4. Crisis is being used to distribute trojans such as Zeus Sphinx and Emotet
5. Cyber threat actors are encouraging users to download malicious PDF documents around Coronavirus related safety measures to spread malware payloads such as Remcos RAT
6. Ryuk Ransomware is targeting the healthcare sector
7. China’s APT 41 is currently escalating their state sponsored attacks against businesses who use Cisco and Citrix software
8. Coronavirus phishing emails are alleging to be from the WHO or the CDC and may include instructions to download documents embedded with macros that can allow cyber criminals to drop a backdoor on victims’ computers
9. A large number of coronavirus-themed domain names were registered in February 2020, presumably to be used for phishing attacks or to sell virus cures or prevention assistance
   

Tips to prevent COVID-19 cyber attacks

Increase employee training, policy awareness, tabletop exercises, and drills

Awareness is half the battle, so distribute these items to your employees. Your workforce is your first line of defense to prevent APTs from taking hold in your environment.

Realize that employees have a heightened interest in clicking on coronavirus-related news right now. Stay in contact with employees; increase security training and include cybersecurity warnings and news in internal communications.

Now is a good time to review policies with employees. You may already have policies in place regarding:

• technology use
• password management
• data handling procedures
• incident response plans
• data security best practices
• social engineering techniques

If you have been running cybersecurity tabletop exercises, you will be more prepared and ready for a security emergency. If you haven’t been conducting these cybersecurity incident drills, you should start now. The point of running these exercises is to increase awareness, test training effectiveness, and start discussions. Everyday drills and exercises can be as short as 15 minutes, whereas large-scale coordinated drills can last up to a day or two.

Secure remote computer equipment, connections, networks, and access

Good cyber hygiene goes a long way towards protecting your employees who are working remotely. Make sure any and all equipment, connections, and networks are encrypted and secure–especially where login credentials are concerned. Remote computer problems often start with weak identity validation and authentication.

There are multiple ways to secure remote applications, but the best way by far is implementing multi-factor authentication. This means at least two different forms of authentication are necessary to access an application, to make sure you (and only you) get access.

Multi-factor authentication must contain at least two of the following:

• Something only the user knows (e.g., a password - your username doesn’t count)
• Something only the user has (e.g., a cell phone or RSA token)
• Something the user is (e.g. a fingerprint)

Check with employees to make sure they have turned on multi-factor authentication while working remotely.

Consider managed security services

There are already many processes, people, and technologies associated with network security. These factors are each complicated by the current COVID-19 crisis.

With a completely or partially remote workforce, you need reliable network security tools in place; things like internal/external scanning, firewalls, and log monitoring will protect your network, detect vulnerabilities, and help you react to threats.

You may also need to consult network data security experts to make sure you’re not missing vulnerabilities or security gaps amid the confusion and panic.

SecurityMetrics helps businesses through difficult security situations. Please contact us if you believe you have experienced phishing threats, data breach, ransomware, or cyberattacks at your business.