Cybercriminals timed attacks to spike during peak uncertainty about the coronavirus

Mimecast's "100 Days of Coronavirus" report shows 33% overall increase in cyber threats ranging from malware to impersonation attacks.

Mimecast tracks Malware-as-a-Service trend in analysis of 202 billion emails
10:38

Bad actors matched their cyber attack strategy with the increasing uncertainty of the coronavirus epidemic, according to a new analysis from Mimecast.

The "100 Days of Coronavirus" report analyzed malicious activity during the first three months of 2020 and found that the monthly volume in every category of attack increased 33% as governments around the world responded to the epidemic. Criminals used the fear and uncertainty around the virus to craft specific attacks to take advantage of the new working and living conditions caused by lockdowns around the world. Specific activity included:

  • Blocking of URL clicks increased by 55.8%
  • Malware detections increased by 35.16%
  • Impersonation detections increased by 30.3% 
  • Spam/opportunistic detections: increased by 26.3%

Carl Wearn, Francis Gaffney, Kiri Addison, and Jonathan Miles of Mimecast's Threat Intelligence team analyzed 14 weeks of threat activity from Dec. 31, 2019, through March 30. The team compared this activity against significant events in the pandemic, such as China implementing lockdown measures in January, the WHO-China Joint Mission in February, the start of Italy's lockdown in March, and the stock market crash at the end of March. 

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

Mimecast analysts wrote in the report that threat actors used pattern-of-life analysis around the  pandemic to time certain kinds of attacks and increase the chance of success: "These actors are often opportunistic and inventive, and will seek to exploit the public's, governments', and organizations' fears, in order to perpetrate malicious activity."

Spam, impersonation, malware, blocked clicks, and web- or domain-based threats all increased significantly during the period of report, with the biggest spikes happening from March 2020 onward as threat actors "clearly pivoted to heavily exploit the pandemic as a key theme of global concern and, therefore, representing a huge opportunity for exploitation, compromise, fraud, and theft."

Coordinating cyber attacks with intensified anxiety

Over the 14 weeks that Mimecast analyzed, detections increased during seven weeks, decreased during five weeks, and showed no change during two weeks. The banking vertical and the professional services sector faced the most attacks during the first week of the year. Bad actors shifted their focus to retail, wholesale, and manufacturing companies.
                        
Week 6, Feb. 3-9 was one of the worst weeks for attacks, which was immediately after the first reports of COVID-19 infections in the UK, Italy, and Spain, as increasing uncertainty made it more likely that people would be more likely to fall for social engineering attacks as they looked for information about the outbreak.  

Week 11, March 9-15 had the highest volume of attacks with 32.5 detections of malicious activity. Lockdowns began in Italy at the start of this week and in Spain, the US, and UK in the following week. 
                       
Impersonation attacks were high throughout the time frame analyzed in the report, and the authors suggest that the "declaration of the pandemic has given the shift to this attack vector a renewed impetus and importance."
                       
The authors wrote that threat actors also are exploiting this period of increased disruption and uncertainty to attempt ransomware insertion to any vertical possible through the increased use of all potential attack vectors. The report also found that Chartres, Cryxos, and Zmutzy malware were observed in significant volume campaigns during the period of report, and these should be considered significant key threats in the weeks ahead.

How to harden cyber defenses

The report authors recommended that security teams take these actions to defend against cyber attacks:

  • Enforce unique password policies and enable two-factor authentication
  • Remind users how to detect social engineering and spot fraudulent behavior
  • Harden networks against the increased threat of Emotet infections
  • Ban Internet Explorer and Flash plugins to reduce the risk of ransomware<
  • Review service-level agreements with partners, particularly in retail and manufacturing organizations
  • Consider blocking image-based file types
  • Consider decommissioning any assets that use Windows 2007
  • Make sure VPN software is updated regularly
  • Encourage employees working from home to change default passwords for routers and enable firewalls

The authors also identified these particular areas of risk.

Assets
Most organizations lack a complete view of their internet-facing assets which make up a large and complex attack surface. Shadow IT is one cause of this lack of visibility.
           
Some of the key shadow IT assets are: hosts, domains, websites, certificates, third-party applications, and third-party components. Because these assets are often overlooked and unmanaged, these assets are not regularly patched, or security tested. These operating systems, frameworks, and third-party applications can quickly age and become vulnerable to common hacking tools and techniques.

Managerial and policy implications
The authors found that weak governance compounds the problem of defending against cyber-attack and makes it difficult for organizations to mount a united defense. Companies and their partners must share techniques to make it easier for everyone to identify, detect, and respond to threats.

The inability to create a governance structure for information-sharing among organizations and with the government, for example, means that many attacks are not identified, prevented, or remedied.

5G
The authors warn that the expansion of 5G networks will create a period of increased vulnerability and disruption: "5G will also present an increased exposure platform for attacks, offering more potential entry points for attackers to utilize. 5G topology will be increasingly based on software, and the associated risk and security flaws resultant from poor software development processes by suppliers will gain in importance."

Also see

The latest cancellations: How the coronavirus is disrupting tech conferences worldwide (TechRepublic) The tech pro's guide to video conferencing (TechRepublic download)
Coronavirus domain names are the latest hacker trick (TechRepublic)
COVID-19 demonstrates the need for disaster recovery and business continuity plans (TechRepublic Premium)
As coronavirus spreads, here's what's been canceled or closed (CBS News)
Coronavirus: Effective strategies and tools for remote work during a pandemic (ZDNet)
How to track the coronavirus: Dashboard delivers real-time view of the deadly virus (ZDNet)
Coronavirus and COVID-19: All your questions answered (CNET)
Coronavirus: More must-read coverage (TechRepublic on Flipboard)

mimecasttimeline.jpg

Mimecast analyzed the volume of malicious activity during the first quarter of 2020 and found that attackers increased the intensity of attacks during the moments of highest uncertainty of the coronavirus pandemic.

Image: Mimecast