With more than 2.5 million people across the world contracting coronavirus and more than 165,000 people dying from the it, the world’s focus is almost entirely consumed by our response to the global pandemic.
Unfortunately, cybercriminals are using this time where we’re distracted, to propagate their attacks, as evidenced by examples on the Government’s Scamwatch website.
“Is the pandemic only a physical threat to us or has the virus become a threat in cyber domain too? Any big trend or any big event on the physical world will always have a reflection on the cyber domain,”
Vitaly Kamluk, director for Global Research and Analysis Team (GReAT) Asia Pacific, at Kaspersky.
Kaspersky researchers have detected a seven-year-old malware in Vietnam and in some countries in APAC resurrected through its automated behaviour and made relatable just by adding “hot phrases” related with the current coronavirus situation.
After spotting the self-propagating malware in the wild, Kamluk noted that it automatically adapts to COVID-19 pandemic as a computer parasite piggybacking on the coronavirus being a hot topic and used as a “carrier” for the cyber counterpart.
“Using the names and popular terms related with the current pandemic simply elevated the probability of these worm to be opened by another user after it was copied to a network share, or a USB drive.”
Vitaly Kamluk, director for Global Research and Analysis Team (GReAT) Asia Pacific, at Kaspersky.
Below are the names of the detected malware files:
- BC rut kinh Nghiem COVID.exe
- Tuyen truyen dich COVID 19.exe
- 2KH CXUNG KICH COVID.exe
- KE HOACH COVID GIAI DOAN 2.2020. chuan.exe
Translation from Vietnamese:
- BC learned from experience COVID.exe
- Propagating translation COVID 19.exe
- COVID PLAN GIAI DOAN 2.2020. standard.exe
Working from home securely
With strict social distancing regulations in place across Australia, businesses had to rush to find solutions to working from home quickly. Often making decisions under pressure leads to bad outcomes on the security front, taking shortcuts that otherwise would have been well planned out projects over months, instead expedited to a ‘just make it work’ mentality in just a few days.
Sending people home is the easy part, but enabling them to securely connect back to the office is another. An example of quick decision that could has massive security implications, it to simply enabled RDP access via the public internet. Instead, a secure, enterprise-class VPN connection should be implemented to ensure full end-to-end encryption.
At home, employees connect corporate devices to their private WiFi network to get their work done. The transition to the NBN fortunately means that most Australians replaced their router which means we should all be using WPA2 security. That’s not the end of the story though, an increasingly popular attack is DNS hijacking.
When DNS hijacks are implemented at the router level, these prey on the fact that far too many people leave default admin passwords on their router. If the cybercriminal gets into your router, they can adjust your DNS records, enabling them to take requests to visit legitimate websites and redirect them to a malicious website. At the router level, this would impact all devices connected to the router.
While Australia has done a great job of reducing the spread of the virus, people are still people and hungry for updated information. The bad guys understand this thirst for information and are using Covid-19 related email phishing attempts to steal your credentials.
Kaspersky have provided a couple of examples of email scams, one using the headers of a .img file to bypass the corporate security filters that block known malicious file types. The other common document format is office documents that contain macros which can execute malicious code on a user’s machine.
If the ICT department has the right set of policies in place, many of the regular attacks will be blocked, but in trying times (like home schooling), bad decisions like clicking on a link in email without closely examining the sender email domain, are easy to make.
Others scams are more egregious, promoting home testing kits, impersonating medical or charity staff to hand over personal information or straight up will ask for your credit card details.
SMS messages are also being used, including a link to more information or stay up to date with Coronavirus. In reality, this link takes users to a website that attempts to install malicious apps on their phone.
How businesses can protect themselves
Kaspersky advises business on how they can protect themselves during this time. This includes:
- Ensuring you have an Endpoint protection solution.
- All logs are being sent to a central server (off your main infrastructure).
- To lock down physical access to servers / infrastructure while staff are out of the office.
- Mandatory 2FA and biometric authentication
There has already been a couple of high-profile attacks since the Coronavirus outbreak began, A Czech hospital was hit by a cyberattack and had to announce over the PA system for all staff to shut down their PCs.
The World Health Organisation (WHO), who have had a lot going on lately, was on the receiving end of a phishing attempt. It’s examples like this that really makes you aware that we need to keep our ICT systems secure, regardless of how much of our attention is being consumed by the Coronavirus outbreak.
One of the biggest security stories of Covid-19 is the video conferencing platform Zoom. With its free service being easy setup, it enticed many users to use the platform to stay in contact with their friends, family and colleagues.
Over recent weeks, there’s been succession of security issues discovered with the platform and that has led to the CEO announcing they’ll pause feature development and focus on securing the platform for the next 90 days.
With Zoombombing being a far too frequent occurrence, you really want your employees to understand that if there’s sensitive content being discussed and someone new joins the meeting, that conversation stops, immediately.
The final strategy to keep employees safe is to ensure they keep up with operating system and application updates. Even in the past week there’s been a series of new updates released to fix some pretty serious flaws in most versions of Windows.
While many of your corporate devices may not be on the corporate domain, they should still be able to get updates.
Cybercriminals are also humans
Personally, I thought many of the attacks that propogated throug the internet would be scripted to run 24×7, but it turns out there’s evidence many attacks take a little break on weekends.
In terms of web threats, Kaspersky has monitored a steady increase of internet-borne malware from last week of January to mid-March. Interestingly, there was a consistent decline from then on until the first week of April.
Analysis from Kamluk suggests that this period was when the European Union and other countries started implementing social distancing, strict quarantine, and stay-at-home measures.
“The government measures affect the cybercrooks, as well, because they are humans, too. They have to stay at home. I am not sure if they go to office but they also have to take care of their everyday living, like restock their food supplies, running around looking for popular demands such as toilet paper. These did affect their business for sure as we see the number of blocked threats went down.”
Vitaly Kamluk, director for Global Research and Analysis Team (GReAT) Asia Pacific, at Kaspersky.
Another factor which resulted in the decline includes companies closing down at first. Operations were halted due to absence of remote working tools and policies.
When it comes to COVID-19-related threats between the periods of February to the first week of April, Kaspersky has observed four malware campaigns where cybercriminals were distributing infected URLs and files massively.
Likewise, there are drops during the weekends. This is because people working from home also follow their regular office hours or business schedules, keeping their laptops and work emails untouched during Saturdays and Sundays. In turn, this results in lower online activity and fewer email exchanges.
In terms of email scams, Kamluk showed a couple of examples which prove how cybercriminals are unethically riding on the pandemic. He also noted that cybercriminals keep on exploring other means to infect users, such as avoiding the usual .zip and .rar files which are usually blocked by security solutions.
There is help out there
While cybercriminals will continue to use the pandemic for their financial gain and personal interest, cybersecurity professionals are uniting to stop the online crooks.
The COVID-19 CTI League is a non-profit, voluntary focus group made up of more than 150 different individuals and organisations across the globe which try to take down fake websites, detect coronavirus-related malware, as well as offer incident response in case of an attack.
Kaspersky is part of this group, alongside other researchers and individuals from the government, academia, and private organisations.
Bitscount is a free, open-source tool that helps respond to a cyber attack. This was developed by Kamluk himself for all people interested in digital forensics and cyber investigations. It aims to help organisations especially law enforcement agencies to conduct incident response and analysis without travelling.
For those interested, there will be a free online training about this tool on April 28, 2020. More information about Bitscout is available at: https://bitscout-forensics.info
