home_banner

This content is available to the public and does not require IANS login credentials. Questions? Reach out to us at ians@iansresearch.com.

Content Icon

Poll: Likely COVID-19-Themed Attack Vectors

March 17, 2020 | Ask-An-Expert Writeups | Malware and Advanced Threats | By IANS Faculty, IANS Faculty

Download PDF

The Challenge: Understanding the Risks

The security team for a large organization is worried about attackers taking advantage of the uncertainty surrounding the COVID-19 epidemic. Specifically, the team asks:

  • Which technologies and procedures are most vulnerable to attacks looking to exploit everyone's COVID-19 distraction?

photo of Marcus RanumIt opens new avenues for social engineering, especially with a lot of new work-from-home employees. For example, an attacker could contact support and say, "Hey, I haven't got my setup here working and I have a virtual meeting in 15 minutes. What do I need to do to get onto the corporate VPN?”

 



photo of Chris NickersonI just coughed my way into an office. Physical attacks are far easier than ever.

 



photo of Josh MorePhishing attacks, leveraging COVID-19 related pretexts are big. For procedures, anything that requires a two-person approval or things like key segmentation are at risk of social bypass.

I'm not sure these fit, but I strongly suspect we will see a spike in people using things like LogMeIn and publicly exposed Remote Desktop Protocol (RDP) so they can work from home more easily – mostly in less-structured, less-prepared firms.


photo of Anton ChuvakinTaken a bit more broadly, VPN is a big vulnerability due to rapid expansion of VPN servers perhaps secured with less care.

 



I agree, rapid changes to accommodate remote access will create problems. Also, expect social attacks on helpdesks to kick up, too.

In addition, there will almost certainly be another "catastrophic" vulnerability dropped during this time period, so everyone should have plans for how to respond.



photo of Ken PyleAttacks against online storefronts, payments and cards – particularly carding. With everyone going nuts buying, behavioral fraud filtering is useless and carding within a geographic area will be fruitful. ATM attacks will be as well.

Two-factor authentication can also be compromised through operational attacks. Expect advanced persistent threat (APT) groups to start hitting high-value targets with ransomware and denial-of-service (DoS) attacks, since people need access more than ever.

Also, expect to see online gaming and gift card scams. There are lots of vectors here, but spam campaigns selling codes or compromising of accounts should be expected. Remember, everyone’s kids are home and they’re probably online.

In addition, pump-and-dump stock schemes will definitely thrive, as will “magic cure” scams.


photo of Aaron TurnerOn the tech side, email attacks are bad enough now that the Department of Homeland Security (DHS) has issued warnings about them. Also, several companies I work with have begun publishing applications through firewalls due to VPN overload.

On the procedures side, banks are creating exceptions to their wire transfer rules because people are stuck overseas due to travel restrictions.



photo of Jennifer MinellaAnything that breaks a currently defined procedure as an exception. Things that don't follow strict change management, including documentation, will create vulnerabilities not just now, but after this passes because no one will remember to go fill the holes they made in the name of emergency.

 



If I were an attacker, I'd do two things:

  • Target staff supporting remote access. Support staffers are getting tons of calls for troubleshooting with users and I'd expect that to lead to issues.

  • Target workers having difficulties working remotely. In particular, I expect attackers to use Team Viewer and LogMeIn Rescue to provide "remote troubleshooting assistance" for employees.

As for technologies, consider the remote access technologies currently being used by your organization and let users know the specific remote support technologies that will be used if needed (e.g., telling employees you will only use TeamViewer can stop them from being tricked into running LogMeIn Rescue on behalf of an attacker).

Targeting remote workers is the easier of the two and the thing I'd do first as an attacker. However, I would start targeting attacks on support personnel as soon as I could put together an attack plan and infrastructure (which most attackers will likely have in place before the end of the week).

 

Related Insights

COVID-19 Phishing Examples and Guidance, March 17, 2020

COVID-19 and the Cloud: Enabling Remote Work and Business as Usual, March 11, 2020

Best Practices for Detecting and Preventing BEC Attacks, Feb. 26, 2020

Protect Vendor/Supplier Transactions and Payments, May 14, 2018

Top 10 Threats Facing Small Businesses, Sept. 9, 2019

 

Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.


Related Research

Ransomware Preparation and Response Checklist (Updated)

Like other network events and security incidents, ransomware infections should be integrated into your overall business continuity efforts and incident response plan. This checklist steps you through the process. 

For Best Anti-DDoS Results in AWS, Use AWS Shield Advanced

Distributed denial-of-service (DDoS) attacks are a major concern for all organizations. In this Ask-an-Expert written response, IANS Faculty George Gerchow recommends Amazon Web Services (AWS) users invest in AWS Shield Advanced to get the most protection.

Exec Comms Briefing: Apple Zero-Day Flaws Target Default iOS Mail App

Newly discovered flaws in all versions of Apple's iOS allow attackers to gain full access to email within iOS' built-in Mail app. In this briefing, IANS Faculty Jake Williams explains how the flaws are exploited and offers recommendations for protecting iOS devices while we wait for Apple to roll out a patch.

DNS Filtering and Blocking Tools: An Overview

DNS filtering and blocking tools work well, but they should be considered more of an add-on vs. a primary security control. In this Ask-an-Expert written response, IANS Faculty Jake Williams explains their pros and cons, and provides an overview of top vendors in the space.