Challenges in security preceded the disruptions we’re all experiencing during the COVID-19 pandemic. Unfortunately, as many of us are trying to navigate through the issues to start building a “new normal”, bad actors are not taking a break. They look at this as a prime time to exploit the surge in confusion and chaos. Keep reading to learn of a few of the more heinous attacks taking specific advantage of the COVID-19 situation to date, as well as a list of a few more common (but no less evil) tricks that bad actors are using.
But to make sure you don’t leave our blog post feeling depressed, we end with some upbeat news centered around the current crisis!
The aptly named CovidLock is an Android app masquerading as a “tracker”, helping to locate infected individuals nearby. Users of the app are directed to change their phone’s security, which enables the app to complete a screen-lock attack on Android, thereby setting a new OS security gesture or PIN and gifting it to the app. Once the attack completes, the app will encrypt the user’s files, contacts and account tokens, and then threatens to leak personal information to the public through the user’s own social media. Android does have features since version 7.0 (named Nougat) to defeat this (though many users do not run the newest OS or harden their phones). Another positive note: the ransomware only demands $100 in Bitcoin, and that wallet is already under heavy scrutiny – the DomainTools team has stated they will post the decryption key in the near future.
Vasty Health Care Foundation
Security researcher Brian Krebs called out “Vasty Health Care Foundation” for leveraging the pandemic as an opportunity to recruit money mules. This scam preys on the recently unemployed with seemingly legitimate job offers, and then these “employees” are guided to collect either legitimate or illegitimate donations and physically go to Bitcoin ATMs to convert funds and send them off to various addresses.
Brno University Hospital Attack
A successful attack on a Czech pandemic hospital was reported on March 13, and the hospital was forced to disconnect all computers from their network. Specific details on the attack have not been released, but it caused significant disruptions to the hospital’s operations.
Cyber-attack on HHS
US Health and Human Services reported a seemingly failed distributed denial of service attack, though they have said that no data was lost and there were no disruptions. They also reported fake text messages from an unknown sender stating that the “president will order a two-week mandatory quarantine for the nation”, which was believed to be related to the DDOS attack.
Less creative innovations on the pandemic were also seen:
- Malicious domains and spam
- Repurposed banking malware [Emotet]
- A pandemic dashboard webapp running tweaked AZORult malware
- A deception campaign (caught by our partner Proofpoint) harnessing the frustration around a conspiracy theory that a cure exists but isn’t being dispensed
- A new Crimson RAT campaign from APT36 using older file macros in attachments to gain control of a host
But it’s not all bad! A handful of companies have stepped forward during this pandemic to help healthcare organizations defend themselves through this crisis:
- Coveware and Emsisoft have offered to help any healthcare provider fighting the pandemic with their ransomware services, even helping manage the payment negotiation process if needed
- Netsparker is offering its WAF license to any COVID-19-engaged entity, including not just healthcare providers or vendors, but also food delivery services
- DHS and others are pointing to NIST recommendations for meetings and telecommuting as well as US CERT recommendations to resist social engineering and phishing, choose and manage passwords, and to advance authentication with more modernized methods like certificates, OTPs and tokens
Global events impact security more and more as culture grows around technology. As we all do our best to social distance, wash our hands, and avoid touching our face – this is also a good time to remind everyone to remain cyber vigilant. Use best practices any time you log on to your devices to keep you and your business secure.