This content is available to the public and does not require IANS login credentials. Questions? Reach out to us at ians@iansresearch.com.

Content Icon

Indicators of Compromise: Identify the Latest COVID-19 Attacks

March 20, 2020 | Ask-An-Expert Writeups | Malware and Advanced Threats | By Ken Pyle, IANS Faculty

Download PDF

The Takeaway

COVID-19 is providing external threat actors, particularly organized groups and advanced persistent threats (APTs), with a significant, new attack surface. A number of novel and repurposed attacks are emerging, in addition to new vectors targeting the confidentiality, integrity and availability (CIA) of corporate networks and systems. To combat these threats, security teams must:

  • Proactively monitor for social engineering and client-side attacks: Use gray hat and black hat tools to monitor and model attacks by adversaries.

  • Implement additional factors of authentication: Consider augmenting both authentication and confirmation for remote workers, support and vital functions (e.g., payroll changes).

  • Enhance fraud detection and monitoring: Review corporate expenditures, credit cards and invoices to prevent exploitation of confusion and disorder.

  • Ensure security is never reduced in favor of convenience: Attackers frequently use crisis and disasters to exploit companies. Ensure uniform security policy and implementation across all business functions.

The Challenge

The security team for a large company is analyzing new and emerging risks due to the COVID-19 outbreak. Specifically, the team asks:

  • What types of attacks should we expect to see during the COVID-19 outbreak?

  • What strategies or techniques can we implement to limit exposure and exploitation?

  • What new attacks or exposures should we prepare for?

Healthcare, Government and Manufacturing in the Cross-Hairs

The COVID-19 outbreak is providing criminal actors and APT groups with an unprecedented number of opportunities for attack. APT groups, including foreign military actors, are seizing on COVID-19 to attack their adversaries, promote propaganda and stage ransomware attacks.

Healthcare, government and manufacturing organizations will all undoubtedly see a significant increase in cyberattacks due to COVID-19. These industries are not only critical to the country, but also require high-availability. Consequently, we expect to see attacks against availability, such as distributed denials of service (DDoS), ransomware and website defacements significantly increase in the short term.

What to Watch For

The aftermath of 9/11 and similar conditions can help inform information security decisions moving forward. Organizations should:

  • Configure email filtering systems to key in on terms like COVID-19, COVID, Coronavirus, pandemic and lockdown. After 9/11, threat actors exploited the event for years to spread malware and will likely do so this time.

  • Watch for attacks exploiting remote access. Phishing under the guise of remote IT support and attacks against multifactor authentication (MFA) or remote access solutions will proliferate. Users should be trained heavily on these vectors, and remote support tickets and requests should be confirmed via out-of-band methods, such as phone calls or visual confirmation. In large companies with multiple IT or remote support teams, confirmation phrases or additional identification factors such as cognitive passwords should be considered.

  • Beware of credential stuffing. Third-party use of corporate email addresses as login credentials and breaches of professional websites (like LinkedIn’s loss of 117 million passwords) allow attackers to quickly discover remote access solutions for workers. To meet the threat:

    • Use dark web breach lists and publicly available credentials to ensure your organization’s passwords aren’t vulnerable. Publicly available wordlists are freely available for this purpose. Using a tool such as L0phtcrack with these credentials and dark web compilations can help detect users who have common passwords or reuse them, helping to limit the efficacy of credential stuffing campaigns and account takeovers.

    • Beware of DNS-based and remote access hacks. Attackers can use a tool like Subbrute to perform brute-force enumeration of DNS records against a domain. They can then collect a target’s domain credential list, brute-force DNS names for remote access solutions (such as CITRIX.YOURCOMPANY.COM or RDS.YOURCOMPANY.COM) and begin a credential stuffing attack using breached credentials. Consider using services like HaveIBeenPwned to monitor user accounts and encourage proper credential management.

Beat Phishing to the Punch

A powerful and effective strategy to counteract phishing and email-based attacks uses other gray hat tools to detect malicious domains before they are used. For example, the tool DNStwist is used by attackers to domain squat, map corporate registrations and perform reconnaissance. But corporate security teams can use this same tool to deter or stop phishing attacks before they are launched by:

  • Using DNStwist to query for domains and pre-emptively block abusive domains set up for phishing or email campaigns.

  • Querying the corporate domain name and using the –r switch so that only registered domains are returned.

  • Reviewing each domain and blocking the IP address and fully qualified domain name (FQDN) used in the MX record, in addition to adding firewall rules to prevent accidental access.

Most threats register their malicious domains for days or weeks prior to their attacks due to tighter filtering, so this gives the security team time to detect their activities.

Account Takeover

The migration to remote work is forcing a number of companies to further open external access and make services such as email, team collaboration and cloud-based file synchronization available to employees. However, this increases the attack surface for malicious actors. To shore this up, teams should:

  • Watch the controls. Ensure strict administrative, detective and preventative controls remain in place.

  • Apply GeoIP and botnet filtering. While imperfect, they can help reduce this risk.

  • Implement additional mitigations, such as behavioral analysis, restricted logon hours and MFA.

  • Audit early and often. Audit and spot check access logs regularly.

Fraud and Identity Theft

Unfortunately, criminals thrive during poor economic conditions and crisis. In such times, many factors help drive fraud and incidents of identity theft, including:

  • Poor recordkeeping, mass casualties and confusion. All have previously been exploited by criminals, human traffickers and foreign intelligence services. Current conditions and issues with international cooperation will result in long-term losses and attacks. Longer term, it’s also likely we’ll see incidents of identity theft targeting deceased COVID-19 victims.

  • Fear/hope. “Miracle” cures, tests and preventive measures will be sold by scammers and cyber-criminals.

  • Uptick in online purchasing and credit card usage. This will drive credit card theft. Today’s behavioral-based fraud controls are limited in their efficacy, and criminals will adapt to this less secure environment and attack.

  • Push toward a delivery-based economy. Client-side attacks, such as fake receipts and delivery notifications that deliver ransomware or steal credit card attacks will have a much higher success rate.

Fraud prevention measures and identity theft controls should be at the forefront of every retail business’ security strategy.

New Attacks Spurred by COVID-19

Previous data and attacks can also assist in anticipating new attacks. For example, foreign intelligence services have already started weaponizing social media and public discussion to shape online opinion and sow dissent. Other attacks to expect include:

  • Hacktivist and website defacement attacks: This is just a continuation of past and current attacks against Western interests. Irregular cyberforces such as internet water armies and the 50-cent army are regularly engaged by the Chinese government for similar purposes.

  • Organized crime-based attacks. Many of Russia’s irregular cyberforces operate as organized criminal networks when not engaged in “official” work, and they frequently reuse or repurpose attacks when switching between responsibilities.

  • Business email compromise (BEC) and related attacks: The sale of counterfeit products, false invoices sent to accounting departments for payment, and payroll or wire transfer hijacking should also be monitored for.

Get Your Cyber COVID-19 Defenses in Place

COVID-19-based attacks are likely to proliferate in many forms. To ensure your defenses are sound:

  • Proactively monitor for social engineering and client-side attacks: Use gray hat and black hat tools like L0phtcrack and DNStwist to monitor and model attacks by adversaries.

  • Implement additional factors of authentication: Consider adding MFA and out-of-band confirmation for remote workers, support and vital functions (e.g., payroll changes).

  • Enhance your fraud detection and monitoring: Corporate expenditures, credit cards and invoices should be reviewed to prevent exploitation of confusion and disorder.

  • Ensure security never gets reduced in favor of convenience: Attackers frequently use crisis and disasters to exploit companies. Ensure uniform security policy and implementation across all business functions.

Further Reading

COVID-19 and InfoSec: What You Need to Know, March 19, 2020

Poll: Likely COVID-19-Themed Attack Vectors, March 17, 2020

COVID-19 Phishing Examples and Guidance, March 17, 2020

Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.

Related Research

Infographic: Working from Home Securely

Millions of global employees continue to work from home during the pandemic. This infographic offers examples of the security risks these employees face and guidance on how to protect themselves.

Ransomware in the Energy Sector: Lessons Learned

Advanced persistent threats (APTs) and highly proficient criminal networks tend to find oil and gas operations easy to target due to a host of issues. This report details three notorious attacks on the sector and the lessons learned from each.

IANS Executive Communications Briefing: Twitter Hack

In this Exec Comms briefing, IANS Faculty Mark Clancy unpacks how security teams should respond to the Twitter hack and what CISOs need to communicate to executives.

Overview of Significant Ransomware Incidents 2019-2020

Some of the most impactful ransomware attacks over the past year targeted Travelex, LifeLabs, the city of Baltimore and Norsk Hydro.