We are, as I’m sure you’re well aware, in the midst of a global health crisis. As governments and health organisations around the world work to stem the spread of the virus and ease the anxiety and panic within society, there are those who are maliciously turning this crisis into opportunity.
Our security research teams have identified a number of instances where bad actors are preying on the worries of the public, tainting the good work of people and institutions trying to help, and taking advantage of our increasingly remote workforce for profit. These are troubling times, there is a long road ahead of us, and it’s important that we all be alert to additional threats riding on the coattails of the current crisis and take appropriate precautions.
What follows are examples of recent exploits we’ve been seeing that both businesses and the public need to be aware of.
Phishing on fear
With so much fear having permeated society, cybercriminals are using this to entice people to click on malicious links and provide personal information or corporate credentials. Recent phishing emails promise recipients a variety of false COVID-19 related information, from up to date infection numbers in their locality, shocking images that governments are supposedly hiding from us, and even a link to a cure. Panicky and curious users who click on these links will often find that malware infects their devices.
Attackers will also go so far as exploit people’s sense of urgency and make emails time-sensitive. It’s a similar psychological trick to how online retailers may use flash sales to lure us to make a purchase on-the-spot, although what a user gets is a lot worse than a little buyer’s remorse. An email promising free coronavirus testing for the first 10,000 respondents will get a user’s attention, especially those who may not know the warning signs of a malicious email.
Ransomware in sheep’s clothing
Attackers are also using coronavirus fears to draw people to bogus, malicious apps. Most recently we found one app that presented itself as a means to track the global spread of the virus, when in fact it had a ransomware payload. To confuse and entice users these will sometimes be built on the genuine work of professionals. For example, Johns Hopkins University recently created an interactive dashboard of coronavirus infections and deaths, which has now been copied onto websites utilising drive-by downloads and malicious apps in the Google Play Store for Android devices.
Security researchers identified a new campaign where attackers are copying the Johns Hopkins map into an Android app. When the user installs the application, it encrypts the phone’s data, transmits the user’s GPS location data, and displays a message to the user that they can only retrieve their files if they pay $100 in bitcoin.
This is already turning into a lucrative black market business. Hackers on underground forums are reportedly selling £600 exploit kits that include Java code that clones the virus outbreak map and allows attackers to inject password-stealing malware, spam, malicious ads, or ransomware. Worryingly, the .jar file is reportedly able to make it through popular webmail filters and can also successfully exploit a system with a fully-patched version of Java.
Working from home woes
With public gatherings currently prohibited, remote working policies and business continuity plans are enabling workers to continue performing their duties from home. Whilst flexible working policies have been part and parcel of the modern workplace for some time, the sudden introduction of remote access solutions at scale is introducing additional work and complexity to an already overworked IT and security staff. As remote users increase, and with a limited number of technical staff to support them, it exposes a far larger attack surface for criminals to exploit.
As the scale of the need to support remote workers appeared so quickly, it’s possible that in the rush to get more remote access appliances online as quickly as possible, organisations may have bypassed traditional security reviews and change management procedures. This will have been done for benevolent reasons, most likely preventing any major disruption and ensuring business continuity, but it creates vulnerabilities within the remote access system.
For instance, traditional remote access solutions such as VPNs or firewalls need inbound access to listen for incoming connections. If organisations have not kept their appliances adequately patched and updated due to the rush, it could lead to unauthenticated access into corporate networks.
With so many employees working remotely, social engineering attackers could more convincingly call into the help desk to get user credentials reset, as this would be chalked down to a common hiccough associated with the onboarding of a significant number of remote access users. Once an attacker gains access to VPN credentials, the entire corporate network is exposed unless significant network segmentation has occurred. Network changes during a crisis are difficult, and may not be seen as top priority, so many organisations unaccustomed to supporting a large number of remote workers may well have been left vulnerable.
Lastly, the very nature of human psychology may put networks at greater risk. Employees working remotely are no longer protected by the security stack traditionally housed in a corporate data centre. Organisations rely on VPNs to send their traffic to a data centre for inspection, then out to the internet. However, end users are likely to take the path of least resistance in aid of getting their jobs done more efficiently, and forgo using a VPN for a faster browsing experience, or only use the VPN when they need to access the corporate network.
Be alert to cyberthreats
So long as coronavirus continues to disrupt our lives, both personal and professional, expect cybercriminals to exploit the situation by luring victims into clicking malicious links and installing malicious software. With all that’s going on in the world already this is a disheartening truth, but by following remote working organisational procedure, being more suspicious than ever of what you click and download, and trusting that the cybersecurity community is working tirelessly to stop these threats in their tracks, you can limit yours and your employer’s exposure.