As the world faces uncertainty in the current situation, there is one group seizing the moment: digital scoundrels. But how do they operate and what kind of cyber attacks can we anticipate during these times?
This article was first published on the Norwegian blog on March 13th, 2020. You can read the blog post here (in Norwegian).
The COVID-19 situation is resulting in significant changes to business as usual. People are being asked to work from home, avoid public transport during rush hour and practice other social distancing measures.
During this period of uncertainty, there is one group now rejoicing: the digital scoundrels.
There is no patch for Corona. Businesses are affected regardless of their operating system. Bruce Schneier’s words have never sounded clearer, though I hardly think it was a pandemic he had in mind when he uttered:
“If you think technology can solve your security problems, you don’t understand the problems and you don’t understand the technology.”
Several of the people who have conducted risk assessments in recent years have included pandemics and natural disasters under “accessibility risks”. But more than one recipient has probably rolled their eyes and thought: “What a fool”.
The reason why this risk has been included is the frequent occurrences of new viruses that have challenged the world’s health and technology systems such as SARS and MERS.
For many businesses, especially those critical to the country’s infrastructure, the main focus now is to keep systems running so that everyday life goes on as normally as possible.
This, naturally, can be quite challenging when most employees can’t go to work because they are quarantined or have to work from home with reduced resources. At such times, cyber-attackers can capitalise by taking steps to potentially expand the attack surface and make IT systems extremely vulnerable.
Attackers love disruptions that draw attention away from security
ECB (European Central Bank) has informed financial institutions that it is now critical that they prepare for attacks on banking systems as a consequence of reduced operational power due to COVID-19. If there is something attackers love in a business, it is disruption. The more disruptions, the less control the business has.
According to Bloomberg, ECB writes that banks must now expect a substantial increase in cyber-related attacks against customers, their own employees and their own infrastructure.
In addition, reduced capabilities are expected due to the fact that few have tested and trained for how to stay operational when many people are connecting from remote places.
Does the organisation have enough technical infrastructure to support this situation? Does the organisation have a well-communicated plan for how to operate this way for a longer period of time?
Creating an understanding of the threats you are faced with, whether as a private individual, employee or company, is important to ensure that your data is secure and not misused in any way.
Typical attacks that can happen right now
An obvious target area is the increased exposure of networks and remote devices, as many now will open up their systems more to support remote work. Employees should expect an increase in scams trying to access devices that connect to headquarters or user access.
The dataflow may now change as you must compensate for lacking possibilities and resources, even if you still have the same needs as earlier.
Perhaps you need to use equipment that is outside of your company’s management tools, or you have to move data between systems or zones that you otherwise would not have allowed.
Reduced manpower has also impaired the ability to respond to alarms and incidents. Staffing, expertise and clear roles with well-defined responsibilities are what is now needed to save a business from losing control.
Unfortunately, exercises on a scale like this are rarely something an organisation plans for, or even trains for at all.
The World Health Organization said in 2019 that one could expect the coronavirus to be abused via scams. Reports indicate that this is already happening, as one of the most popular methods is to send out emails purporting to be from WHO, asking the user to enter personal information and click on links.
At the same time in Norway, some shameless scammers have gone door to door (link to the news article in Norwegian) claiming to be health professionals to get into people’s houses.
The attackers exploit the fear of the coronavirus
Fear of the corona pandemic has caused threat agents to exploit the situation for everything it’s worth. ThreatPost reports increased malware attacks with coronavirus campaigns, malicious URLs and credential stuffing. Credential stuffing is lists of usernames and/or passwords used in automated attacks where scripts and/or bots try to access online services and social networks.
They also report on emails with malicious PDFs that appear to have information about COVID-19. The quality of the malware is often high, and cannot always be detected or prevented by antivirus or firewall solutions.
Other emails have links to pages that encourage you to download files with information about COVID-19. Clicking on these links establishes an encrypted connection to external file servers. Downloading the document and opening it will install malware on your machine. Here, the machines can become part of a botnet or install ransom viruses, keyloggers, and so on, depending on what the threat agent is trying to achieve.
There are also websites that trick you into believing they have information about the Covid-19 pandemic, such as Corona-Virus-Map (Don’t go to that page!).
American Banker reports that this page has a global map showing the spread of COVID-19, similar to what you find on Johns Hopkins pages. But, unlike Johns Hopkins, this site spreads a type of malware known as AzorUlt, a spyware that steals usernames and passwords, among other things.
Don’t forget to maintain safety during these times
Many businesses are today uncertain what the future will bring in the coming months. For many, their fixed income is dwindling, and it’s uncertain what will happen tomorrow.
Data security is not necessarily the main focus area at the moment, which is understandable – but at the same time, not focusing enough on this can create additional problems for organisations.
Many IT executives are now finding themselves in a situation that might feel extremely difficult to manage. The black swan has landed and the risk now is that the Medusa effect will guide the way moving forward. However, this is not a Kobayashi Maru scenario. The task becomes the good old riddle; how to eat an elephant? One bite at a time.
Want to read more about cybersecurity? Click into our Cybersecurity blog archive.