A pandemic gives cybercriminals ample opportunities to attack systems and prey on the unwary.
We have prepared a Special Report outlining some examples of cyber-attacks during this time, as well as a quick checklist for you to review and see if your business is prepared to respond to an IT incident.
Here’s a PDF should your wish to download it.
Be well and stay safe,
the team at Delta
It is no doubt that Covid-19 has placed a strain on healthcare systems and economies around the world. As governments close borders and enforce social distancing practices to disrupt the spread of the virus, businesses have also received instructions to allow employees to work from home.
These measures ensure the health and safety of employees and allow businesses to maintain normal business operations during this crisis. While working from home minimises the risk of spreading the disease, consideration should be taken into the IT security risks that could arise due to a sudden influx of staff working from home.
During an average financial year, a company will spend roughly 10% of their annual IT budget on security. These efforts are generally focused on enhancing the security of the corporate network. With work at home measures in place, employees now need to access the company network from home or from a public connection.
Allowing these new connections open the corporate network to an increased number of threat surfaces where security may not have previously been considered. Additionally, where employees are using their own devices, these devices may not be configured to company specifications, use the company firewall, or may already be infected with malware.
The introduction of these external factors makes it difficult for IT departments to administrate their network as the Covid-19 crisis has converted whole companies into stay at home workers.
Many industries around the world are vulnerable at such a time. As of early April 2020, more than half of the world’s population are in lockdown where over 90 countries have implemented compulsory or recommended confinement. This makes at home workers a perfect target for cyber criminals due to the sheer numbers of people forced online to do so.
One company that took a hit by both Covid-19 travel bans, and a ransomware attack is Finablr PLC’s retail foreign exchange brand Travelex. Travelex is the worlds largest foreign exchange company with over 1,500 stores primarily located in airports and tourist destinations.
The hackers exploited unsecure systems to deploy the REvil (also known as Sodinokibi) ransomware on Travelex’s systems. The ransomware attack forced Travelex to suspend their customer facing systems while resolving the issue.
Over 5GB of personal information was stolen including credit card details, dates of birth and ID numbers, A ransom of $3M USD was demanded to which it is reported that $2.3M USD in Bitcoin was paid to the hackers. It is known that Travelex had a cyber insurance at the time, and they planned to activate the policy to mitigate some of this loss.
While essential services such as hospitals and health care are making their best efforts to contain the pandemic, cybercriminals are targeting their IT systems as they see these as an easy target. No statistics have yet been released but Interpol have identified that there is a significant increase in such cyber-attacks. They have issued a warning to all 194 of their member countries to remain vigilant about this threat.
Microsoft released a blog post also identifying that cyber criminals are prevalent during this time and explained the efforts they have focused on protecting critical industries such as health care. The Microsoft Threat Protection Intelligence Team have been monitoring known malware and have provided recommendations on how organizations should be monitoring logs to detect attacks and frequently updating software and configurations to prevent known attacks.
The phenomenon known as “Zoombombing” (hijacking Zoom sessions) has increased due to the voluminous increase in Zoom users. In the first few months of 2020 the company recorded 2.2 million new users compared to the 1.9 million new users in the whole year of 2019.
As workers, students, friends and family increasingly use this platform as they communicate from home, hackers and pranksters are also at home performing these attacks.
In April 2020, The Singapore Ministry of Education suspended the use of using the popular video conferencing tool Zoom after an online Secondary 1 geography class was hijacked. The hijackers displayed obscene images to the class of 39 students.
The MOE and Zoom are actively working to make the tool more secure and MOE teachers have been briefed on security measures while performing online lessons.
Phishing remains as one of the most prevalent methods of cyber-attack according to F5 Lab’s 2019 fraud and phishing report. The attacks are simple and effective and can lead to further types of attacks such as credential harvesting and malware depending on the effectiveness of the phishing attempt.
Covid-19 phishing emails have been on the rise following the spread of the virus. On 31 January 2020 the World Health Organization declared Covid-19 an international public health emergency due to the rising number of infections. During March 2020, many countries imposed lockdowns while the world observed the number of confirmed infected cases rise from 88,585 to 858,319.
During this time, cybercriminals have been opportunistic and have used this crisis to prey on their victims while general efforts have been focused on the health and safety of staff. Phishing attacks generally play on the fears or emotions of the victim by posing as a familiar brand or seeking urgent action so having the distraction of a viral pandemic adds to the lapse in judgement of individuals which could make the phishing attack more effective.
During the month of March 2020 alone, Researchers at Barracuda Networks observed a 667% increase in Covid-19 related spear-phishing attacks. 1,188 types of attacks were recorded in February 2020 increasing to 9,116 types of attacks in March 2020.
While a phishing email can be convincing, a fraudulent domain name adds to the deception. Atlas VPN discovered over 300K domains had been registered relating to Covid-19 related keywords in March 2020 alone. These included keywords such as “Coronavirus”, “Covid-19”, “Vaccine”.
KPMG advise that phishing samples typically contain the following attributes:
- Poor grammar, punctuation and spelling
- Design and quality of the email isn’t what you would expect
- Not addressed to you by name but uses terms such as “Dear colleague,” “Dear friend” or “Dear customer”
- Includes a veiled threat or a false sense of urgency
- Directly solicits personal or financial information
We can see some of these attributes in samples of Covid-19 phishing emails.
Researchers at Dynarisk report that samples of Covid-19 phishing emails include cyber criminals posing to be from health authorities such as such as the World Health Organisation (WHO) or the Centers for Disease Control and Prevention (CDC), government, charities, essential services, travel companies or even collaboration apps such as Zoom or Microsoft teams.
These attacks utilize convincing or even spoofed email addresses to prey on pandemic-related fears of individuals and to trick these employees into trusting these malicious emails.
Common requests of the phishing attacks include asking for fake donations by imposter charities, sales of fake medical supplies and cures, fake investment opportunities in medical companies, fake government support and more in attempts to steal money, credentials and personal information from their victims.
One example discovered by security researchers at KnowBe4 is even telling victims that they have been in contact with an infected person and tricks the victim into downloading attached excel document.
The excel documents however contain macros which download malware onto their victim’s system.
While phishing is an effective way that cybercriminals are using to trick victims into downloading malware, cybercriminals are also using the trend of hiding malware into websites and apps which provide Covid-19 heatmaps that graphically depict the number of infected cases in each country on a world map.
The legitimate versions of these sites are a popular way for people to keep track of the number of cases reported around the world. Cybercriminals are also jumping on this trend to spread malware due to the number of internet traffic these websites are able to generate.
Security company Malwarebytes released a warning about malware found in Covid-19 heatmaps utilizing real and accurate information. The website tricked users into downloading a file named “corona.exe” which contained the “AZORult” malware. This malware is a type of spyware which hides itself on a computer system and steals information including passwords, credit card details, with the ability to take screenshots and other sensitive information without the victim’s knowledge.
Hiding malware in heatmaps has also reached Android. Researchers at Domaintoolsdiscovered an Android app which posed as a heatmap. The heatmap however contains the ransomware “CovidLock”. This ransomware demands users pay USD$100 in bitcoin or threatens it will wipe all the devices files and leak social media profiles.
We have seen cyber criminals capitalizing on Covid-19 to launch attacks. In the world of IT risk, businesses need to have the correct technological controls in place to mitigate such IT risks and the controls to identify such risks. These controls need to be robust enough to consider work-at-home arrangements.
KPMG have the following suggestions to reduce the risk to your organization and your employees, particularly in relation to remote working:
- Raise awareness amongst your team warning them of the heightened risk of COVID-19 themes phishing attacks
- Share definitive sources of advice on how to stay safe and provide regular communications on the approach your organization is taking to the COVID-19 pandemic
- Make sure you set up strong passwords, and preferably two-factor authentication for all remote access accounts; particularly for Office 365 access
- Provide remote workers with straightforward guidance on how to use remote working solutions including how to make sure they remain secure and tips on the identification of phishing
- Ensure that all provided laptops have up to date security patches, anti-virus and firewall software
- Run a helpline or online chat line which your team can easily access for advice, or to report any security concerns including potential phishing
- Encrypt data at rest on laptops used for remote working in order to combat physical theft and make certain that all critical systems are backed up, tested and are available in case of a ransomware attack.
- Disable USB drives to avoid the risk of malware, offering employees an alternate way of transferring data such as cloud collaboration tools
- Ensure that the finance process requires an additional measure to verify large payments. Ideally use a different channel of communication to do so such as phone or text to confirm an email request. This additional measure can help guard against the increased risk of business email compromise.
As the World Bank steps in to provide aid to protect economies and jobs, this crisis has also provided a great example for businesses to see if they have been prepared for global events which could affect their operations. While some business may fail during this time, business continuity plans will be tested to keep business running as usual.
Among continuation of operations, a robust business continuity plan should address the following businesses IT concerns:
- What would happen if there’s an IT or Cyber incident?
- Can your business function effectively through remote working?
- What would happen if disruption to a data center occurs?
- Are you dependent on key IT personnel?
- Are you able to scale your cloud capabilities?
- Would you be able to co-ordinate the incident remotely, and do you have the necessary conferencing facilities and access to incident management sites/processes and guides?
- Are you dependent on key individuals for the incident response, and if so, what can you do to reduce that dependency?
- How does the emergency/incident response crisis management structure change if key incident managers/recovery leads are unavailable?
- Are you confident that your backups are current, and that in the worst case you can restore vital corporate data and systems?
- How would you deal with a widespread ransomware incident, when large parts of your workforce are home working?
The time we have in isolation has provided the perfect opportunity for the insurance industry to educate the public on risks which could affect their business. As the shift from working in an office to working from home increases, there are new risk factors that the business should consider.
Now is the time to talk to insureds about their existing coverages and consider insurance products to transfer such risk or prepare for risk in the future.