The Bad, the Ugly, and the Good in Cybersecurity During COVID-19

Posted: March 24, 2020

Challenges in security preceded the disruptions we’re all experiencing during the COVID-19 pandemic. Unfortunately, as many of us are trying to navigate through the issues to start building a “new normal”, bad actors are not taking a break. They look at this as a prime time to exploit the surge in confusion and chaos. Keep reading to learn of a few of the more heinous attacks taking specific advantage of the COVID-19 situation to date, as well as a list of a few more common (but no less evil) tricks that bad actors are using.

But to make sure you don’t leave our blog post feeling depressed, we end with some upbeat news centered around the current crisis!

CovidLock

The aptly named CovidLock is an Android app masquerading as a “tracker”, helping to locate infected individuals nearby. Users of the app are directed to change their phone’s security, which enables the app to complete a screen-lock attack on Android, thereby setting a new OS security gesture or PIN and gifting it to the app. Once the attack completes, the app will encrypt the user’s files, contacts and account tokens, and then threatens to leak personal information to the public through the user’s own social media. Android does have features since version 7.0 (named Nougat) to defeat this (though many users do not run the newest OS or harden their phones). Another positive note: the ransomware only demands $100 in Bitcoin, and that wallet is already under heavy scrutiny – the DomainTools team has stated they will post the decryption key in the near future.

Vasty Health Care Foundation

Security researcher Brian Krebs called out “Vasty Health Care Foundation” for leveraging the pandemic as an opportunity to recruit money mules. This scam preys on the recently unemployed with seemingly legitimate job offers, and then these “employees” are guided to collect either legitimate or illegitimate donations and physically go to Bitcoin ATMs to convert funds and send them off to various addresses.

Brno University Hospital Attack

A successful attack on a Czech pandemic hospital was reported on March 13, and the hospital was forced to disconnect all computers from their network. Specific details on the attack have not been released, but it caused significant disruptions to the hospital’s operations.

Cyber-attack on HHS

US Health and Human Services reported a seemingly failed distributed denial of service attack, though they have said that no data was lost and there were no disruptions. They also reported fake text messages from an unknown sender stating that the “president will order a two-week mandatory quarantine for the nation”, which was believed to be related to the DDOS attack.

Others

Less creative innovations on the pandemic were also seen:

  • Malicious domains and spam
  • Repurposed banking malware [Emotet]
  • A pandemic dashboard webapp running tweaked AZORult malware
  • A deception campaign (caught by our partner Proofpoint) harnessing the frustration around a conspiracy theory that a cure exists but isn’t being dispensed
  • A new Crimson RAT campaign from APT36 using older file macros in attachments to gain control of a host

But it’s not all bad! A handful of companies have stepped forward during this pandemic to help healthcare organizations defend themselves through this crisis:

Global events impact security more and more as culture grows around technology. As we all do our best to social distance, wash our hands, and avoid touching our face – this is also a good time to remind everyone to remain cyber vigilant. Use best practices any time you log on to your devices to keep you and your business secure.