Frequent readers of my blog know that I will not latch onto already-sensationalized stories that every cybersecurity company is already covering. My goal is not only to educate but also to entertain some of the more obscure cybersecurity stories that I do not believe are receiving enough attention. I resisted the urge to jump into the coronavirus (also known as COVID-19) maelstrom as long as I could. Still, I would be doing my readers a disservice if I did not cover the depths to which cybercriminals are going to exploit this crisis.
What follows are a few examples of recent exploits. For a technical analysis of recent attacks, be sure to read the ThreatLabZ research blogs on CovidLock Android ransomware and recent coronavirus scams.
Cybercriminals are playing off people’s fears and enticing them to click on malicious links and provide personal information or corporate credentials. Recent phishing emails promise users a variety of information, from the latest infection numbers in neighboring communities or shocking photos that are being hidden by the government to a link to a cure and even the promise of in-stock toilet paper or hand sanitizer. Curious users will click on the links and security professionals will know what happens from there.
Attackers will also exploit people’s sense of urgency and make emails time-sensitive. An email promising free coronavirus testing for the first 10,000 respondents will get a user’s attention, especially those who may not know the warning signs of a malicious email.
Attackers are also using other, similar phishing methods to exploit the coronavirus outbreak. An enticing email or app in the mobile phone app store may promise users something in exchange for installing a piece of software on their computer or smartphone. For example, Johns Hopkins University recently created an interactive dashboard of coronavirus infections and deaths that has been copied onto websites utilizing drive-by downloads and malicious apps in the Google Play Store for Android devices.
Security researchers identified a new campaign where attackers are copying the Johns Hopkins map into an Android app. After the user installs the application, it encrypts the phone’s data, transmits the user’s GPS location data, and displays a message to the user that they can only retrieve their files if they pay $100 in bitcoin. Because ransomware attacks are now treated as data breaches, the problem gets much worse for affected users when their data is exposed.
Hackers on underground forums are reportedly selling $700 exploit kits that include Java code that clones the virus outbreak map and allows attackers to inject password-stealing malware, spam, malicious advertisements, or ransomware. The .jar file is reportedly able to make it through popular webmail filters such as Google’s Gmail and can also successfully exploit a system with a fully-patched version of Java.
With no cure or vaccine in sight, scammers are taking advantage of public anxiety to push pharmacy scams promising treatments or protection against the novel coronavirus. These pharmacy scams are peddled through spam email, Google search results, insecure web pages, and comment spam. Security researchers recently tracked a comment spam campaign directing users to shady pharmacy sites promising a cure or vaccination against the virus.
Comment spam is often executed by bots or automated scripts to post content that will remain on a site indefinitely or until a moderator deletes the spam comment. Why would attackers go through all this trouble? The answer is, as always, money. Spammers often receive a percentage of sales from scam sites and, due to the rise in popularity of the term coronavirus on popular search engines, spammers are going to ride the wave to increase their traffic and profits.
With public gatherings limited or prohibited, work from home policies and business continuity plans allow workers to continue performing their duties from home. The sudden introduction of remote access solutions at scale introduces additional work and complexity to an already overworked IT and security staff. With an increase in remote users and not enough technical staff to support them, a larger attack surface for criminals to exploit is exposed.
First, traditional remote access solutions such as VPNs or firewalls must have inbound access to listen for incoming connections. If organizations do not keep their appliances adequately patched and updated, it could lead to unauthenticated access into corporate networks. In a rush to get more remote access appliances online as quickly as possible, organizations may bypass traditional security reviews and change management procedures in order to onboard more remote VPN users and allow the business to continue unaffected.
Social engineering attackers could call into the help desk to get user credentials reset. With the onboarding of a significant number of remote access users, a sophisticated attacker could easily use social engineering techniques to persuade an IT helpdesk employee to provide access to the corporate network.
Once an attacker gains access to VPN credentials, the entire corporate network is exposed unless significant network segmentation has occurred. It is difficult to perform substantial network changes in the middle of a crisis, so organizations unaccustomed to supporting a large number of remote workers will be left vulnerable.
Lastly, having employees operate remotely means that they are no longer protected by the security stack traditionally housed in a corporate datacenter. Organizations must rely on VPNs to send their traffic to a data center for inspection, then out to the internet. However, users will often follow the path of least resistance and forgo using a VPN for a faster browsing experience or only utilize the VPN when they need to access the corporate network.
As long as coronavirus remains a top story, expect cybercriminals to exploit the situation by luring victims into clicking deceptive links and installing malicious software. Although this information may seem discouraging, all hope is not lost and readers should not lose faith in humanity. As long as there are bad people to exploit tragedies, rest assured there are guardians of the internet (security researchers) fighting tirelessly every day to keep users safe.
If you need to brush up on some first-line-of-defense tips for protecting yourself or your organization from the kinds of opportunistic attacks being seen worldwide, you can find examples in Forbes, the Department of Homeland Security, and the FTC, among many others. Stay well!
Christopher Louie, CISSP, is a Sales Engineer at Zscaler