The speed at which organizations are being forced to respond to the unfolding COVID-19 health crisis could be leaving many of them vulnerable to attack by threat actors rushing to exploit the situation.
Over the past few weeks security vendors and researchers have reported an increasing number of malicious activities tied to COVID-19 that they say are elevating risks for organizations across sectors, especially healthcare and law enforcement.
Predictably, a lot of the activity has involved phishing and social-engineering campaigns where COVID-19 has been used as a thematic lure to get people to click on malicious attachments and links in emails or to download malware on mobile and other devices. There have also been reports about account takeover and business email compromise activity, a growth in domains serving up drive-by malware, and attempts to exploit virtual private networks (VPNs) and other remote access tools.
The danger posed by these threats has been exacerbated by new requirements for "social distancing" and the resulting push by many organizations to widen or implement telework capabilities for their workforce. The sudden COVID-19-related surge in the use of videoconferencing, remote access, and VPN services — especially at organizations that have not used them before — is giving attackers more targets to go after and defenders a lot more terrain to protect.
"Many companies did not have the infrastructure for this sort of work and had to deploy it quickly," says Omri Herscovici, security research team leader at Check Point.
This includes externalizing internal Web services and email access, desktop, and other internal resources. In some cases, internal services that may not have been previously accessible from outside the perimeter are now being hastily opened to allow employees to work from home.
Many are implementing new technologies for remote access without enough testing or without first ensuring secure configurations, Herscovici says. Companies are also likely struggling with managing and protecting a sudden rise in server loads and with issues like implementing proper authentication mechanisms and security auditing capabilities for their newly telecommuting workers, he notes.
"The attack surface for malicious actors has increased since some parts of an organization's infrastructure that were only used internally are now exposed to the Internet," Herscovici says.
VPN and Telework Risks
Attacks that seek to take advantage of user inexperience with respect to remote working are one major concern. "Tens of thousands of businesses are turning their workforce into a remote army, and they are urging staff to use VPNs for the first time," says Lior Rochberger, a security analyst with Cyberason's Nocturnus team and the co-author of a recent COVID-19 research report.
"Unsuspecting victims around the world are falling victim because they are being tricked into downloading and installing malware masquerading as legitimate VPN clients," Rochberger says.
One malicious website that Cybereason's team uncovered claimed to provide a range of legitimate VPN installers and installers for apps like Instagram and Facebook. However those who attempt to download the VPN installer only get directed to a malware-hosting site. "There is a lot of danger because as anxiety sets in, people's minds are elsewhere and they trust these websites without double-checking that it is legitimate and trusted," Rochberger says.
Concerns over enterprise VPN security were high even before the COVID-19 crisis. Security researchers have reported on numerous critical remotely executable vulnerabilities in widely used VPN products in recent months that have prompted alerts from the US Department of Homeland Security (DHS) and others. Organizations that might have been close to addressing those issues are likely going to fall behind once again in the new rush to enable telecommuting at many organizations, says Pascal Geenens, security evangelist at Radware.
"VPNs have been the subject of targeted access over 2019," he says. "[Now] the opportunity and attack surface [have grown] with more organizations deploying remote access."
In a March 13 alert, the DHS's Cybersecurity and Infrastructure Security Agency (CISA) urged organizations that are implementing remote access capabilities for workers in response to COVID-19 to install the latest security patches and configurations on their VPNs. It also advised the use of multifactor authentication on all VPN connections to increase security. "If MFA is not implemented, require teleworkers to use strong passwords," the CISA said.
Exploiting a Crisis
Meanwhile, threat actors, who have a penchant for exploiting a crisis situation, are launching a barrage of spam, phishing, and other malicious campaigns to get users to part with credentials and other sensitive data.
According to KnowBe4, there has been a virtual epidemic of COVID-19-themed phishing emails in recent weeks. Many of them have purported to be from the US Centers for Disease Control (CDC), the World Health Organization (WHO), the US Department of Health and Human Services (HHS), and enterprise HR departments. Just this week, for instance, IBM reported on a new campaign where a previously known keylogger called HawkEye was being distributed in emails spoofing WHO's director general. While most of the phishing emails have spoofed government organizations, attackers have been spoofing private ones as well. One campaign that KnowBe4 tracked, for instance, involved a phishing email with a fake bill for COVID-19 insurance coverage from Cigna
An interactive map from Johns Hopkins University tracking the spread of COVID-19 globally has been an especially popular spoofing target. Numerous attackers have begun hosting near-identical-looking trackers on malware-laden sites and are using phishing emails to lure people to these sites.
Some are using an app-version of the tracker to get users to load malware on mobile devices. Kristin Del Rosso, senior staff intelligence engineer at Lookout, says researchers from the company recently discovered a trojanized version of a functional COVID-19 tracking app being used to download surveillance software on mobile phones.
"We have seen other actors using the COVID-19 media coverage to deploy Coronavirus-themed mobile ransomware and banking Trojans, as well as track a device's geolocation," Del Rosso says. With the order to shelter in place, organizations are quickly implementing work-from-home policies that have the potential to increase their mobile risk. "Ultimately, it comes down to educating the end users and continuing to follow best practices, even in times of crisis," she says.
Rochberger says Cybereason, too, has seen attackers creating malicious mobile applications posing as legitimate apps developed by the WHO purportedly to help people recover from COVID-19. "Instead, the application downloads the Cerberus Trojan to steal sensitive data," she notes.
According to Check Point, more than 16,000 new Coronavirus-related domains have been registered since January. More than 2,200 of them are suspicious and another 93 are being used to serve malware. Many malware authors appear to be viewing the pandemic as an opportunity to accelerate sales and are offering Coronavirus specials and discounts to criminals and wannabe-criminals in Dark Web markets. Among the COVID-19 specials is a 15% discount on a Facebook account-hacking service.
While many of the new and emerging COVID-19 related threats are targeted primarily at individuals, they impact organizations equally. So enterprises need to special attention to the security fundamentals, researchers say.
This includes keeping software properly updated to prevent exposure to new threats, resetting and enforcing strong passwords for remote workers, and ensuring passwords are changed periodically, says Geenens from Radware, which recently published a set of recommendations on the topic.
VPNs are another way to secure data between remote workers and core systems, says Kevin Curran, IEEE senior member and professor of security at Ulster University. "In the ideal world, organizations would have a zero trust network system deployed," Curran says. But it can be difficult to implement purely in response to the unfolding health crisis, he admits.
Mobile device management capabilities are another fundamental requirement for organizations right now, Curran notes. "Even Windows 10 now enables devices to connect to a cloud-based Azure Active Directory, which bolsters the existing support in Windows for the traditional version of Active Directory," he says. Organizations need to have control of mobile devices that access their environments and have capabilities such as remote wipe and configuration of enterprise data protection policies.
"Containerization is another option for companies to separate corporate and personal data on an employee's device," Curran says. "This involves separating out the corporate mobile apps and the data associated with these into 'containers' on the mobile device, creating a clear division as to what is subject to corporate security policies, such as wiping."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Security Lessons We've Learned (So Far) from COVID-19."