Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/24/2020
11:45 AM
50%
50%

Cybercriminals' Promises to Pause During Pandemic Amount to Little

As pandemic worsens, online profiteering -- from fraudsters to ransomware operators to cybercriminal hacking -- continues unabated, despite some promises from the underground.

Pandemics make for strange bedfellows.

In mid-March, ransomware gangs claimed to be pausing operations against healthcare organizations for the duration of the coronavirus pandemic, following pleas from some security firms and questions from journalists. The group behind the Maze ransomware operation, for example, pledged that "we [will] stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus."

But the sincerity of such promises is suspect. The Maze Team reportedly was, at the same time they were pledging to stop activity, in the process of extorting money from a UK medical research facility, Hammersmith Medicines Research. The University Hospital of Brno in the Czech Republic reportedly suffered an outage on March 20 due to a cyberattack, possibly ransomware. Other groups have rapidly increased phishing attacks that leverage the subject of the coronavirus, and the COVID-19 disease it causes, as a lure. And outright fraud has increased as well, such as e-mail campaigns collecting "donations" for coronavirus-fighting charities, according security services firm CrowdStrike.

The chaos and fear created by the coronavirus pandemic is just too enticing for cybercriminals to resist, says Adam Meyers, vice president of intelligence at CrowdStrike. "When you have something this widely recognized, and you have people, frankly, freaking out about it, then it becomes an effective way to exploit those fears," he says. "The threat is definitely there, and it's something we are paying close attention to."

As countries struggle to respond to the coronavirus pandemic, some cybercriminals and security firms have advised against exploiting the chaos.

Security firm Emisoft addressed ransomware groups directly in a March 18 statement urging them to — at the very least — leave healthcare organizations alone: "Make no mistake, an attack on a healthcare organization will have negative outcomes and may result in the loss of life. We ask for your empathy and cooperation. Please do not target healthcare providers during the coming months and, if you target one unintentionally, please provide them with the decryption key at no cost as soon as you possibly can."

Chatter in underground forums appear to show that some operators may have similar sympathies. When one would-be fraudster asked how they could take advantage of the COVID-19 chaos, other forum participants criticized them, in an exchange seen by threat intelligence firm Digital Shadows.

"As we've seen time and time again, cybercriminals will find ways to take advantage of people's fears and uncertainties in the wake of major disasters and emergencies," Alex Guirakhoo, a threat research analyst with Digital Shadows, wrote in a blog post. "However, the gravity of the COVID-19 pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation."

Still, such sentiments seem to be a rarity. Moreover, pledging to forgo attacks against healthcare institutions may be a ploy to gain some goodwill and convince other companies that the cybercriminal group is trustworthy.

"For most attackers, a time of crisis is in reality a time to expand their businesses," Tim Mackey, principal security strategist for software-security firm Synopsys, said in a statement. "They know that with businesses operating with either remote workers or with limited IT staffing levels that defenses will be weakened. Since the attackers define their rules of attack, it's worth noting that even a pledge to not target healthcare providers by ransomware teams may in actuality be part of their strategy."

And for nation-state actors, stealing information about another nation's reaction to the crisis could be good politics, says Patrick Coughlin, CEO for threat intelligence platform provider TruSTAR Technology.

"It's hard to know whether the major nation-states or known major threat actors have ordered a detente or a truce — it's hard to know," he says. "But it doesn't really matter because the noise from the scammers continues to grow, and they can use all the noise as cover."

In addition to the increased activity from cybercriminals groups, the fact that most companies now have to deal with many more remote workers aids attackers. The pandemic and the move to remote working has caused massive changes in the patterns of life for workers, which may cause many organizations to struggle to redefine a new baseline "normal" pattern of behavior, Coughlin says.

"The baseline signal that a security organization would have of what is normal activity has been thrown out the window," he says. "That loss of the normal pattern of life is providing cover for the bad guys. They have a whole different layer of noise that they can hide in."

Many cybersecurity firms have offered to help healthcare organizations and critical groups with responding to ransomware incidents and other cyberattacks.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...