Thanks to the quick transition to remote work due to the current global pandemic – coupled with cybercriminals’ penchant for taking advantage of fear, uncertainty, and doubt – security researchers have seen a surge in cybersecurity issues. Cybercriminals have been quick to exploit newly deployed access devices, novice teleworkers, vulnerable home computers and networks, and overworked IT teams. Many have even temporarily shelved traditional network-centric attacks to target new security gaps and vulnerabilities that allow them to exploit and gain access to valuable data and resources. In April alone, for example, the FBI received 3,000-4,000 daily cybersecurity-related complaints from US businesses and users, a steep incline from the average of 1,000 per day.
Of course, threat researchers know that significant social events are usually a catalyst for new threats to emerge. Whether it’s a pandemic, the World Cup, or some other significant event, there are always bad actors looking to exploit others during times of crisis. Over the last few months, FortiGuard Labs has been actively tracking global threat telemetry and attack campaigns related to the pandemic, including information stealers, trojans, ransomware, and the effectiveness of social-engineered lures. This has revealed the following recent trends:
• The largest spike in email attacks was April 2, which saw 330 separate COVID-19 email campaigns.
• April also saw the highest volume of malicious email campaigns, with over 4,250 COVID-19-related events in total.
• Most emails have malicious .DOCX and .PDF files (.DOCX being the highest) attached, with ransomware being the most prevalent attachment.
• Interestingly, the numbers of these attacks have been steadily declining since April, with 3,590 email campaigns in May and 2,841 in June.
Three of the key bad actor activities I have seen these past few months are the exploitation of emotions to commit cyber fraud, the rise of spear phishing, and the increased risks brought on by working remote.
Exploiting Emotions for Financial Gain
From a social engineering point of view, cybercriminals are maximizing the panic component of this pandemic – and specifically the shortage of medical equipment and supplies. Our threat researchers have seen campaigns focused on hospitals, medical equipment manufacturers, and health insurance companies. The Centers for Disease Control (CDC) and the World Health Organization (WHO) both reported in April that malicious actors were spoofing phone calls and perpetrating email campaigns designed to look as if they were coming from them.
Phone campaigns either solicited donations or pretended to be selling essential medical supplies. And phishing emails included ersatz invoices for supplies never ordered, or claimed to be providing critical medical information or updates. Instead, of course, these emails included infected documents or links to compromised websites.
Spear-phishing is Also on the Rise
In addition to generic, broad spectrum attacks, we have also seen a surge in highly targeted campaigns, with attacks particularly preying on the medical supply shortage. One malicious spear-phishing campaign we recently observed targeted a medical device supplier. In this attack, rather than offering supplies for sale, that attacker inquired about various materials needed to address the COVID-19 pandemic due to high demand. In order to create a stronger sense of urgency, the email included a compelling statement that the sender had already tried to reach the recipient via telephone.
In this case, the email contained multiple misspellings, such as in the subject line, “Inquiry on Medical Sipplies – [company name REDACTED.inc].” It also contained an attachment purporting to contain details of the inquiry, which was misspelled as well. Misspellings and poor grammar are often telltale signs of scams. The goal in this case was clearly to interrupt the supply chain of medical goods needed to save lives.
Remote Work Introduces New Attack Vectors
Cybercriminals are well aware that times of rapid transition can cause serious disruptions for organizations. In the rush to ensure business continuity, things like security protocols can get overlooked or set aside for the sake of expediency. And as always, cybercriminals are looking for any opportunity to take advantage of inadvertent security gaps.
In this case, once the world suddenly found itself in lockdown, an unprecedented number of unprotected users and devices were suddenly online all at the same time. In any home, there are likely two or more people connecting remotely to work through their home internet connection. There may also be one or more children engaged in online school, let alone participating in online gaming communities or other social activities.
Another complicating factor is that not every organization was able to acquire enough laptops for every employee who now needs to work remotely. Consequently, many teleworkers were forced to use their personal devices to connect to the corporate network – devices that are almost never as secure as their corporate-issued counterparts.
What makes this so dangerous is that these devices don’t even need to be attacked directly to be compromised. They’re also attached to unsecured home networks, which enable attackers to exploit other attack vectors, including exploiting vulnerable IoT devices or gaming consoles connected to the home network. The goal is then to find a way back into the corporate network and its valuable digital resources where data can be stolen, and malware can be spread to other remote workers. This is especially damaging as remote workers don’t have the luxury of walking over to the help desk to get their computing system restored. If device issues cannot be resolved by troubleshooting a problem over the phone, it needs to be mailed in, leaving the employee offline for days.
Getting Back to Basics
As a security professional, you understand the importance of training and cyber hygiene. It’s essential, however, that in the current heightened threat landscape we can’t let our guard down. Here are four key areas to strengthen in your organization:
• Enforce cybersecurity hygiene: I recommend that all IPS and AV definitions are kept up to date on a continual basis. Also maintain a proactive patching routine whenever vendor updates become available. If patching a device is not feasible, we recommend conducting a risk assessment to determine additional mitigation safeguards.
• Update critical security technology: The most effective security strategy is to engineer risk out of the system. Ensure that secure email gateways and web application firewalls are equipped with sandboxing and content disarm and recovery (CDR) technologies to identify and block specific file types, including phishing attacks, and disarm threats before they reach the user. And ensure that endpoint devices have the latest endpoint detection and response (EDR) software to prevent active threats from executing.
• Accelerate end-user training: Conduct ongoing employee training sessions to inform them about the latest phishing/spear-phishing attacks, and to remind them to never open attachments from someone they don’t know. End users also need to be trained to spot social engineering attacks, and evaluated using impromptu test emails sent surreptitiously from the security team via email.
It’s amazing how foundational security principles, consistently implemented, can help defeat the craftiest attack vector. And it’s equally amazing how few organizations actually do these things with any consistency. However, by committing to focusing on the three activities laid out above, your organization will be much better prepared to defend against attackers looking to exploit the pandemic.