A new internal portal in a bank was running smoothly. Then a trusted site host suspended their services because of unpaid invoices. Project lead Jessica just thought they had mixed up their bookkeeping. What no one could have imagined was that a banking Trojan had found its way between the transactions. This customer story may have happened somehow, somewhere. Welcome to the world of cyber noir.
Something old, something new – the COVID-19 threat landscape is mostly about rebranding existing tricks
Threat Intelligence Team
Huhtikuu 15, 2020 at 10:03
News and advice related to the coronavirus are everywhere. People are working from home, and everyday life has changed. In the cyber world, the change hasn't been that significant. Yes, there are phishing campaigns impersonating the World Health Organization, and malware is being spread with the help of COVID-19 keywords. But if you look at the numbers, they show that attackers don't have more resources, and there is no noticeable change in the overall amount of attacks. Cybercriminals are reusing their existing tricks and rebranding them with a theme that gets the user's attention: news about COVID-19. Recent threat intel reports by both Microsoft and FireEye show that the global threat landscape has something new, but lots of old and borrowed.
Same threat actors, new content
News, email inbox, even text messages – updates about the coronavirus are everywhere. New statistics, new instructions, new restrictions. We click, we want to know more – and cybercriminals are taking advantage of this. According to Microsoft's threat intelligence report, every country in the world has had at least one COVID-19 themed attack. There have been thousands of coronavirus-related domain registrations.
However, it's good to understand that this isn't exactly unusual. Phishing and malware campaign themes come and go. Topical subjects are used to stay relevant so that the phishing messages and malware delivery sites look more appealing. Sometimes the topic is about getting tax refunds; sometimes, it's Valentine's Day; sometimes, it's about the holiday season and online shopping. Changing themes is also a way to avoid getting caught. Threat actors are now using their existing infrastructure and malware delivery tools and rebranding them with a topic that gets the user's attention: news about COVID-19.
Of course, it's good to be aware that the threat actors are taking advantage of the coronavirus so everyone can look at news headlines or their inbox with a critical eye. However, it's equally important to understand that so far, the overall amount of threats has not increased significantly, and there are other types of scams still out there. According to FireEye and Microsoft, only two percent of malicious emails contain COVID-19 content. However, Microsoft reports a spike in the success of phishing and social engineering and presumes that it's because people are stressed out about the situation.
Another thing to remember when looking at statistics is that COVID-19 and corona are new search words, and they didn't exist until last December. You will get high percentage increase when comparing to the starting point of zero, like IBM reporting a 4,300 percent increase in coronavirus-themed spam. Another example is CheckPoint's blog from March showing that despite the peak in coronavirus related domain registrations, only three percent were found malicious, and five percent were sort of fishy. Another way that the article formulates the results is that "coronavirus-related domains are 50% more likely to be malicious than other domains registered at the same period", which can sound more worrying if you read just the headline.
The perfect time for disinformation and fake news
Because of the high stress and large amounts of information available, people might be more vulnerable than usual to fake news and spreading disinformation. FireEye states that also distractions when working from home and the burden of balancing work and home duties might make people more susceptible to opening malicious emails and making mistakes.
FireEye reports of information operations that are taking advantage of the pandemic to promote a specific message or undermine others. For example, one of the disinformation campaigns has spread a conspiracy theory that the U.S. developed the coronavirus or helped to spread it. Another information operation praised China's response to the coronavirus outbreak.
Healthcare criticality elevated but an increase in threat not expected
Cyberattacks to healthcare providers, hospitals, and pharmaceutical companies have also been on the news headlines lately. For example, a medical research company doing clinical medicine trials recently suffered a data breach, and a cyberattack on a Czech hospital forced to postpone surgical operations. However, FireEye's threat intel report states that there is no reason to believe that the healthcare sector would now be under a sudden elevated threat, although the criticality of IT systems in healthcare is higher.
There has been a considerable number of ransomware attacks against healthcare organizations in the previous years. In 2016, the attacks against hospitals worldwide stood out since there had been only a few reported cases about similar organizations so far. In October 2019, well before the pandemic outbreak, ten hospitals in the U.S. and Australia were infected with ransomware. Some ransomware groups have even promised to stay away from healthcare. Time and more data will show, are the attacks taking advantage of the pressure caused by the pandemic, or are they related to a continuing trend.
Want to learn more about current threats and how to stay secure in the digital world? Check our cybersecurity advice on taking a digileap during these challenging times.