Cybercriminals, state-sponsored groups ramping up attacks exploiting COVID-19 pandemic

IntSights researchers surveyed the cyberthreat landscape, finding a wide variety of coronavirus-themed phishing lures, malware infections, network intrusions, scams, and disinformation campaigns.

COVID-19: Security risks are increasing as more people work from home
9:08

There is no sacred ground when it comes to hacking and that has become evermore apparent since the outbreak of coronavirus across the world. Almost immediately in January, cybercriminals began to exploit the crisis through a variety of coronavirus-themed scams, and these efforts have only grown in breadth and sophistication since then.

A new report from cybersecurity firm IntSights by cyber threat analyst Charity Wright and chief security officer Etay Maor explores COVID-19-related dark web chatter and state-sponsored initiatives that have taken shape since the world was upended by the pandemic.

Since January, the two longtime cybersecurity experts have looked at how cybercriminals, ransomware groups, and several nation state actors quickly became involved in coronavirus-themed attacks, leveraging fears about the virus to steal money and information from thousands of people. 

"Every time there is a major event, there are phishing attacks, there is malware, and different groups want to take advantage of the situation," Maor said in an interview. "You see all these scams and hoaxes, but then you see how rapidly it moved from phishing to malware, like coronavirus map malware. And then all of a sudden you have other groups coming into the picture.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic) 

In their initial search through cybercriminal chatter, they found dozens of scams for different fake hand sanitizers and face masks as well as people hawking their own blood as potential cures for the virus. 

One key fact noted in the report was the astounding increase in coronavirus-themed websites. In 2019, there were 119 domains registered using coronavirus, and in January alone, it rose to 1,400. By the last day of March, it reached over 78,000 domains in just that one month alone. While not all of these websites were phishing or malicious, the deluge of new websites and apps flooding the internet has allowed cybercriminals and some state-actors to slip in to catch unsuspecting web surfers. 

"Google and Android really don't do as well with filtering out malicious apps, and we've seen a huge increase in the amount of mobile apps found in the stores related to coronavirus," Wright said. "A fake coronavirus map of how it's spreading or some kind of healthcare-related app that alleges to give advice on tracking locations and things like that. There are a lot of malicious apps going into the app stores right now."

Wright and Maor said app stores are now loaded with spyware, malware, adware, and other malicious, information-stealing apps that also make a variety of false claims to lure you in, from the ability to find people infected near you to ones hawking dubious medical advice. 

But cybercriminals have also expanded attacks to take advantage of the fact that most countries are under quarantine, forcing millions to now work from home.

"One of the most interesting things for me in the report was when we decided to see what criminals are talking about when it comes to remote work applications. We looked at the chatter and CVEs from 2017 or 2018 had zero chatter, and then all of a sudden in January it spikes. In January, February, and March, stuff around Zoom and Webex suddenly saw a lot of interest," Maor said. 

"They're really looking at how to take advantage of the workforce being at home. Everyone is expecting phishing, but now everybody is using Zoom, Webex, Teams, and Hangouts. The attackers are really looking into how they can use that for different attacks. It's now become the talk of the day about the issues with Zoom, how we keep our information safe, and how vulnerable it is."

SEE: Malware response checklist (TechRepublic Premium)

In addition to discussion on cybercriminal sites about how to exploit remote working tools, state-sponsored groups from North Korea, Russia, China, Pakistan, and other nations are also looking at ways to take advantage of the situation, according to Wright and Maor.

The security issues with workplace tools have been well documented by the press, but the problem is only going to get worse as criminal actors online have more time to expand their efforts and find more vulnerabilities with widely used tools like Zoom, Slack, and others.

Many malicious actors know security is more lax when people are at home and away from company IT teams or security perimeters, making them easy targets for fairly simple attacks. 

While some would question why state-sponsored groups would be attacking other countries at a time when the entire world is struggling to contain the virus, Wright said there were no tactics considered out of bounds when it comes to digital attacks. 

"From the state-sponsored point of view, this is ideal for them. Bad guys, whether they're cybercriminals or working for a government or military, they're looking for the easiest way possible to get network access and get the information they need from their adversaries. If that means using coronavirus and this pandmeic as a lure, and that's the easiest point of entry, that's definitely what they're gonna do," said Wright, who spent years working for the NSA as a Chinese offensive operative.

"When it comes to cyberespionage and threats, they'll be more likely to use tactics like using a Zoom vulnerability or a Webex vulnerability to gain access to that device in general so that they can collect some kind of valuable information. If they knew that one of my customers is a very big auto manufacturer, then they're going to try to pivot from me into the network of that customer using a phishing email or some kind of intrusion like that. They're just using it as one tool to get access to what they need."

According to Wright, there has also been an uptick in state-sponsored disinformation related to coronavirus, with some state-actors attempting to promote division and distrust in institutions like the free-press, civil society groups, and non-governmental organizations.

One of the main themes of the report is how cybercriminals and state-sponsored groups have used the coronavirus pandemic to fit whatever their real aims are, whether its stealing information, money, or sowing division.

Both Wright and Maor said everyone needs to make sure all their devices are patched and generally be wary of clicking on anything coronavirus-related unless it comes from an approved news outlet or government source. 

For those working from home, staying on VPNs is vital, both researchers added. They noted that many people may find VPN connections slow or cumbersome and decide to opt out of them, but when accessing business information, it was important for people to always use secure connections. 

"We have to keep in mind that there is no place like work. When you're at work, you have firewalls and all kinds of protections. When you're at home, your company is probably protecting you with some form of endpoint protection, but when you're outside of those walls, you're much more exposed to different kinds of attacks," Maor said. 

"The criminals have been talking since January about how to manipulate and take advantage of Zoom, and they know people are out there using these technologies and making mistakes, creating logical and physical bridges between networks, bringing files from unsecured areas. It all creates problems."

Wright added that companies should do third-party risk assessments of their network, and for larger companies, security checks were needed for any suppliers or partners as well to make sure all parts of a supply chain were complying with security guidelines. 

These kinds of assessments can check the web for any discussion of vulnerabilities criminals may be looking at in relation to your enterprise, Wright added, saying companies can look for any attack indicators or leaked credentials.

The key thing both experts said is that anyone can be attacked. Maor spoke at length about attacks on nurses and doctors as ways cybercriminals can attack hospitals, even at a time when they're working hard to save lives. 

"Everyone is a target. It's not just these. Other collaboration tools will be targets, and any form of collaboration needs to be under scrutiny. Pay attention because we are changing the way that we're working, but not all of us are used to working from home and what some of our actions may mean down the line," Maor said.

"There is no taboo topic or sacred ground. If they can use it, they'll use it." 

Also see

Malware and criminal concept

Image: iStockphoto/peshkov