Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

4/7/2020
02:00 PM
Connect Directly
Twitter
LinkedIn
Facebook
RSS
E-Mail vvv
50%
50%

The Coronavirus & Cybersecurity: 3 Areas of Exploitation

Criminal, political, and strategic factors are combining to create a perfect storm of cyber infections that target the global supply chain.

Times of crisis often create opportunities for those looking for vulnerabilities in their opponents. Today's coronavirus crisis is creating economic and political dislocation, disruption of the commercial status quo, and a breakdown in the fabric of global commerce — not to mention uncertainty and fear.

A rapidly growing number of people are already coming to understand this. But what most still do not know is that hackers are also barging into this grim arena, capitalizing on heightened vulnerability with fresh cyberattacks and the creation of malicious websites.

The US Health and Human Services Department recently suffered a cyberattack related to its coronavirus response. The attack ultimately did not succeed, and no data was accessed, but officials believe the culprit or culprits were likely foreign state actors looking to undermine confidence in and effectiveness of US government institutions.

Other attacks are coming. Already we're seeing malicious infections in the name of Wuhan Coronavirus circulating in the digital world. Specifically, Kaspersky researchers have found that 10 unique files (dubbed as coronavirus-spread) are popping up filled with, among other things, malevolent infections such as file-encrypting and cryptomining malware. Others exfiltrate sensitive data.

Additional factors are combining to create a perfect storm for cyber infections. These include lower staffing levels in enterprise security operations centers (SOCs) as corporations try to virtualize their staffing, placing workers remotely outside enterprise firewalls with only vulnerable single-factor authentication as protection against increased social media access and high interest in COVID-19 news.

3 Targets

Political exploitation: There will be attempted compromises on critical infrastructure, such as power plants and petrochemical facilities, as well as active disinformation campaigns to sow confusion and undermine confidence in political leadership. The DDoS attack on Health and Human Services is just the start. There are also reports of a foreign disinformation campaign warning of a pending "nationwide quarantine," quickly debunked by US government officials, designed to create fear in the US population and undermine confidence in government institutions.

According to research from Prevailion, a cyber intelligence firm focused on nation-state cyberattack schemes, its APEX platform and sensor network shows more than 30 state and local governments have already been unwitting victims of nation-state actors looking to spread dissention and disruption. Among the most affected areas are Texas, New York, Ohio, California, Florida, Washington, DC, Alabama, North Carolina, Louisiana, and Connecticut. The trend has been on a rapid upward trajectory since the COVID-19 outbreak.

Criminal exploitation: Cybercriminals are looking for and exploiting weaknesses. According to Check Point Software's Global Threat Index, coronavirus-themed domain registrations are 50% more likely to be from malicious actors. Whether it is well-honed phishing attacks with labels such as "Corona Virus," "Stock Market Volatility,” “Near Zero Interest Rates,” “Remote Working” news, or ransomware attacks targeting hospitals and critical healthcare providers, the criminals know where vulnerabilities exist and how to exploit them.

As Oren Falkowitz, founder and CEO of anti-phishing company Area 1 Security, wrote me recently in an email: "Since mid-February, we have seen a material increase in the number of phishing campaigns tied to the coronavirus. The reason nine in ten cybersecurity incidents begin with phishing is not technical sophistication or lack of awareness by individual users, but by the overwhelming desire of cyber actors to appear authentic. Whether they use trusted brands, or topical events such as the coronavirus as lures, they are always on the offensive."

Strategic exploitation: While many attacks will be designed to affect the crisis near term, the most sophisticated attackers will take advantage of preoccupied organizations that have their guard down. They will plant malware inside a targeted company's infrastructure for later exploitation.

As illustrated in the above graphic, Prevailion is seeing a confirmed influx evidence of compromise in a large Italian vehicle manufacturer with a pattern that matches the reduction of staff and eventual complete shutdown of the facility due to the COVID-19 pandemic. Karim Hijazi, CEO of Prevailion, explained in an email, "The dates of the influx of compromise correlate closely and illustrate the increasing challenge of weaker cybersecurity controls and defenses."

Furthermore, a recent Accenture study shows (page 10, figure 2) that 40% of security breaches are now indirect, as threat actors increasingly target the weak links in the supply chain or business ecosystem. Given what is happening and expected to happen, COVID-19-related security breaches are already alarming officials from the World Health Organization (WHO).

There is no question that the pandemic will continue to amplify cyber threats. Bad actors are experts at exploiting a crisis. But as experience has shown, every crisis and attending threat translates into a learning opportunity. These opportunities are lessons from which we can adapt new strategies and supporting technologies to evolve our digital economy and technology infrastructure to be better prepared the next time we face challenges. In the case of the coronavirus threat, the vulnerabilities of the global supply chain and digital economy are now clear. We are being challenged to rethink the infrastructure by which we manage in this environment. We must be more resilient going forward.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Robert R. Ackerman Jr. is the founder and a Managing Director of Allegis Capital, an early-stage Silicon Valley venture capital firm that invests heavily in cyber security. Allegis cyber security portfolio companies include IronPort Systems (acquired by Cisco), Solera ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
drho4523
50%
50%
drho4523,
User Rank: Apprentice
4/27/2020 | 10:58:59 AM
Humans are more vulnerable than machines
Great content. I think that this confirms what a lot of us in the industry have been seeing in regards to increased phishing attempts. At Silent Breach, for example, we're finding that companies are far more willing to invest in periodic VAPTs rather than social engineering simluations and/or training workshops. Unfortuantely, we find that the human component is usually the keystone of any security strategy, so I hope that articles like these will begin to influence decision makers more!
Enrico Fontan
50%
50%
Enrico Fontan,
User Rank: Strategist
4/8/2020 | 7:30:10 AM
Strategic exploitation
I agree with the Strategic Exploitation perspective.

The increasing demand for Home-Office activities will increase the phishing risks for employees not trained for this new setup.

In such a scenario, this may lead to a persistent malware installation that will allow further violations in the future.

After the COVID-19 crisis, we will have to doublecheck and monitor all the connection points between IT and OT to be able to mitigate such risks.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-2196
PUBLISHED: 2020-06-03
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
CVE-2020-2197
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.
CVE-2020-2198
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
CVE-2020-2199
PUBLISHED: 2020-06-03
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
CVE-2020-2200
PUBLISHED: 2020-06-03
Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.