COVID-19’s first wave of cybersecurity

David Grey, Senior Manager, NTT, analyses NTT’s 2020 first wave Global Threat Intelligence Report during the Coronavirus pandemic when cyber security risks are at their highest

Here we are a few months on from when our news feeds started talking about a new disease in China and the world has changed in ways we never imagined.

However, while most of us have had to adapt to new ways of working in the pandemic, cyber-criminals and threat actors, as with any global change or major news story, have seen COVID-19 as an opportunity.

Over the last few months, we have seen a massive upturn in phishing attacks (over 37% at the start of the crisis) and attackers seeking to find new vulnerable targets, such as hospitals who have experienced a huge increase in attacks.

In this article, I will be looking back at some of those trends with the aid of NTT’s 2020 Global Threat Report. The report focuses on the global cyber threat landscape including the current COVID-19 pandemic and how cybercriminals are continuing to gain from the crisis.

On a global-scale, threat actors are continuing to innovate – especially where they are having the most success such as web shells, exploit kits and targeted ransomware. It is ransomware that has seen a large increase over the last few months with attackers changing their focus of attack. The main threats which have been observed during the first phase of the Covid-19 cyber-security attacks are:

1. Websites posing as ‘official’ information sources, but host exploit kits and/or malware – created at an incredible rate, sometimes exceeding 2000 new sites per day.
2. Campaigns which distribute Emotet, Trickbot, Lokibot, Kpot, Coronavirus (a ransomware variant), Zeus Sphinx and other malware variants.
3. Attacks which spoof DNS or hijack router DNS settings via weak or default admin passwords.
4. The use of an open redirect which pushes Raccoon info stealing malware to the affected system and prompts the user to download a ‘COVID-19 Inform App’ allegedly from the World Health Organisation.
5. Exploit attempts against a previously known remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices (CVE-2019-19781).
6. A variety of cyber-attacks on healthcare and support organizations responsible for helping people through this health emergency.

Hospitals and the retail sector have come under the greatest pressure. Attackers are seeking to hold hospitals to ransom while they attempt to treat and support patients with the illness. This particular attack vector has kept my team busy for the last two months since NTT announced we will assist, free of charge, hospitals under cyber-attack and dealing with COVID-19.

Unfortunately, it is the same old attack vectors we are all familiar with, rearing their ugly heads. With the rise in remote working we are seeing an increase in the number of brute force attacks on remote access portals as an entry point for attackers. Most hospitals are just not set up to be able to cope with these types of attack and respond effectively.

Retail has also seen big changes with the enforced closure of all but essential traditional bricks and mortar stores during lockdown, with sales falling dramatically as a result. Globally, world retailers have increasingly been turning to the internet and their online portals to make sales. The business effects of COVID-19 in this sector vary greatly, depending on the specifics of the retailer and the wider industry.

We are seeing attackers continuing to focus on the supply chain in target organizations for potential weak spots in security. This is especially true now with so many people working from home (WFH). Businesses are receiving new account holders or are seeing older accounts being reactivated, and not necessarily by the original account owner!

All of this leads to opportunities for attackers to impersonate clients and distribute remote access tools, as well as other malware. There is also a large proportion of the population who may be shopping online more now than before, and are potentially less familiar with the online shopping experience. Less experienced internet users are at much greater risk from attackers attempting to gain their trust from various scams.

So where are we today? It is without a doubt a case of ‘business unusual’ instead of ‘business as usual’. Organisations are struggling to offer a secure WFH capability to their staff in an attempt to maintain operations and these are typically a best effort where security is not necessarily the number one consideration rather than secure by design. As a result, they are either deployed in an insecure manner or with vulnerabilities which have not been mitigated.

Rapid, reactionary change introduces the highest amount of business risk and this has occurred over the last three months at an unparalleled rate. Technology may have been rolled out to support daily operations; however, an organisation’s capability to adapt security policies and procedures to that change is still playing catch up!

The situation will be constantly evolving, as some of us start to return to offices which will gradually improve overall security from the emergency WFH remote solutions implemented by organisations. It is certainly going to be ‘business unusual’ for some time to come yet.

See more cyber news here.