Cyber criminals are exploiting COVID-19
The impact of COVID-19 on our way of life has been unprecedented. For the cyber criminal it has been business as usual but with additional fringe benefits. More people are working from home and some of them will be less familiar with secure working practice than they ought to be. We still need to collaborate leading to increased use of web communications and conferencing software some of which will be unfamiliar to the user and vulnerable to spoofing. Also access to those crucial files and systems requires greater use of remote access systems, all needing to be properly secured and checked out before they are deployed.
The UK government cyber crime investigation body (NCSC) has published a COVID-19 exploitation report that illustrates how criminals are trying to exploit the current situation. The criminals’ aims have not changed, to steal financial credentials, access information that can be monetised or to compromise the target and hold them to ransom.
Many attacks follow the familiar pattern such as phishing emails, SMS messages and compromised websites. The criminals are using key text phrases such as ‘COVID’ and ‘UKGOV’ to provide a veneer of authenticity. Companies and government bodies have been putting out essential information on how to deal with COVID-19 but similar information could be a link to on-line scams. A list of new malicious sites linked to the COVID key word lists 2,514 entries as of 8th April 2020.
Another approach has been to spoof meeting invites from collaboration platforms such as ‘Zoom’. Naturally the text and images will look authentic but the aim is as always to get the user to download a file or open a web page that will start a chain leading to the target’s device being compromised. As always it is the end user who needs to be vigilant, why have they received that message, do they need to open the file or visit the site? The action needs to be reinforced, if in doubt report it. With companies now extremely reliant on on-line communications all users need to know who to report potential incidents to.
The increase in remote working has led to greater access to systems through VPNs. These pathways are not foolproof. There are publicly known vulnerabilities in Citrix and in VPN solutions provided by Pulse Secure, Fortinet and Palo Alto. The solutions to these vulnerabilities are known and operators need to ensure that they are in place. RDP is another means to access remote systems, either directly or through a VPN. Nevertheless there has been an increase in reports of attacks on unsecured RDP endpoints since the COVID-19 lock-downs. Network administrators need to ensure that appropriate constraints are in place.
Proof that the cyber criminal is nothing if not inventive is the deployment of CovidLock ransomware. This appears to be an Android App allowing real time tracking of COVID-19 cases. In reality the App changes the device’s lock screen password and demands $100 to unlock it with a threat that data will be deleted if payment is not made within 48 hours. Thankfully this particular ransomware threat has been fixed and a decryption key released.
Android devices are easier to compromise in this way than IOS devices as any IOS application has to be approved by Apple before it is released on their store. There are genuine efforts being made to create Apps that will track COVID-19 cases so this might not be the last instance of creative COVID-19 cyber crime that we will see.