How the COVID-19 Pandemic Has Dramatically Changed the Cybersecurity Landscape

Marc Rogers

Over the past two decades working in the security space, I’ve observed that there’s always an uptick in attackers looking to exploit the chaos during disasters or periods of civil unrest or political instability. As people panic or try to act with more urgency, they become more vulnerable. Caution, one of our strongest defenses, is the first thing to go out of the window. As our sense of urgency grows, we become more willing to take shortcuts and the opportunity to fool us grows exponentially. The current COVID-19 pandemic is no exception.

COVID-19 Phishing and Identity Attacks

The most common attacks seen during this kind of event are phishing and identity attacks, and with most of the workforce now being mandated to work from home, they are more dangerous than ever. When you are amongst your colleagues, working from a central location, you have a degree of protection. When a strange email comes in, it is easy to speak to a colleague and verify its authenticity. When you are working from home, isolated and often alone, that becomes much harder. Unless you quickly establish regular communications and good security hygiene you become an easy mark.

COVID-19 is an unprecedented global catastrophe and as a result, I have seen an unprecedented amount of phishing attacks looking to exploit it. The internet is literally heaving with the volume of COVID-19-based phishing attacks targeting every possible sector and every possible country.

This flood of phishing attacks has led to warnings being issued by multiple law enforcement and government agencies like WHO, CDC, FBI, CISA, NCSC and many more.

What are they after? While the cover story they use has changed, the end-game is almost always the same. They want your personal information (login credentials, name, date of birth, government ID details and so on) or they want to trick you into installing malware on your system.

The United Nations of phishing attacks:

Every nation is being targeted and the phishing emails we have seen appear in almost every language. In many ways, this is the largest set of cyber campaigns we have ever seen.

The vast majority of these emails offer often falsified information or promises of help related to the COVID-19 pandemic. In some cases, they offer medical supplies or, in the case of one campaign found by Proofpoint, even promise cures - things that they know a worrying public are likely to immediately pay attention to.

But email is not the only vector being used for phishing attacks. We’re seeing phishing messages in all forms of social media and communication. Attackers are throwing everything but the kitchen sink at us. A prime example is the recent flood of fake SMS messages targeting users in identical ways.

The good news is most of these attacks are relatively unsophisticated, riddled with spelling mistakes, and take you to obviously fake landing pages that attempt to collect identity information. The bad news is that amongst the noise there are some impressively sophisticated attacks with cleverly designed landing pages or which skip the whole user interaction part and instead push down a range of different types of malware.

COVID-19 Malware & Hacking

Attackers are using a mixture of old, reskinned and relatively new malware to attack users during the COVID-19 pandemic. This is a pretty good indication of the wide variety and global nature of these campaigns. We are looking at a cybercrime gold rush. Never before have companies, workers, and consumers been so desperate and so vulnerable. Remote workers need VPNs, they have IT problems, they have distractions, and, most importantly, they are isolated. In the security industry, we have understood for a long time that the weakest link in the chain is the best place to start if you want to compromise something.

When it comes to relatively secure organizations, the weakest link is almost always the workforce or third party suppliers. This is why the vast majority of breaches we hear about today are triggered by simple phishing emails or malware-laden messages. As a result, remote IT workers without adequate protection are a gift - decentralized like third party suppliers but privileged like traditional workers.

As with the phishing attacks seeking to collect credentials, almost all of these are delivered in the guise of much-needed information or help. One particularly sophisticated cybercriminal campaign found by Reason Security used a trojan that displayed a fake COVID-19 tracking map to fool victims. The map, which loaded real COVID-19 information from the Internet, contained an information-stealing trojan related to the AZORult family of trojans.

Once installed the infostealer trojan locates and exfiltrates credentials for social media accounts, crypto coin wallets, and more.

It’s not just cyber criminals who are taking advantage of this opportunity. Nation-states are getting in on it also. Malwarebytes uncovered a campaign attributed to APT36. APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India. The sample analyzed by Malwarebytes uses a spear-phishing email with a link to a malicious document claiming to be from the Indian Government.

Cybersecurity company Kaspersky said it had detected COVID-19 related infections on 403 users of its security products. In total, its technology detected 2,673 infected COVID-19 related files. Even though in most cases these are repurposed existing malware strains with new skins, the speed with which this has been turned around is both impressive and scary.

As further evidence of how prevalent this is, Check Point has detected that since January 2020, there have been over 4,000 coronavirus-related domains registered globally. Out of these websites, 3% were found to be malicious and an additional 5% are suspicious. Coronavirus- related domains are 50% more likely to be malicious than other domains registered at the same period.

COVID-19 Physical Security

Right now, many cities and towns look like post-apocalyptic film sets. As citizens stay home to slow the spread of COVID-19, workplaces and businesses are left standing empty. Many big businesses have sophisticated security systems and can even afford physical security guards. However, some small and medium-size businesses, some of whom serve those same large businesses, do not. As law enforcement resources become thinner due to increasing demand and decreasing workforce, gaps begin to appear. These gaps are problematic. Want to break into a large Fortune 200? Security looking good? Instead, break into their HVAC supplier or, indeed, any other third party likely to have a permanent connection into their network.

In this age, it is not just the simple burglar that we have to worry about. Sophisticated, connected supply chains, monitoring systems, and control systems mean our attack surfaces are no longer trivial things. If the Target breach taught us anything, it is that attackers can and will get in through any gap in our defenses. During the current upheaval when our eyes and minds are elsewhere, attackers will be ready to exploit that opportunity.

COVID-19: How to Stay Safe

Phishing

  • Be wary of emails or files sent by unknown users. Avoid clicking on links in unsolicited emails and be especially cautious with attachments. See CISA’s guidance on Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams

  • If in doubt, close the email and go to the trusted site and navigate to the section you need.

  • Use trusted, authenticated sources—such as legitimate government websites—for up-to-date, fact-based information about COVID-19.

  • Use known, trusted companies when purchasing emergency supplies.

  • Do not reveal personal or financial information over email, and do not respond to emails that ask for this information.

  • Verify a charity’s authenticity before making donations. See the Federal Trade Commission’s page on Charity Scams for more information.

  • Enable 2-factor, multifactor protection or hardware security such as a Yubikey for all your sites that support it.

  • Use a well known, trusted password manager and generate unique, complex passwords for sites that do not support additional factors. Never share passwords across sites.

  • Be cautious of password recovery questions, either use things that cannot be guessed or researched or just random passwords you store in a password manager.

Malware and hacking

  • Don’t trust unverified people asking for information about your company.

  • Install a well-known antivirus product for your platform and ensure it is kept up to date.

  • Keep your computer software and operating system up to date.

  • Be cautious when using free software. Sometimes free can be too good to be true. Especially when it comes to highly trusted applications like VPNs.

  • Don’t be the weak link - ensure your connection to your company is secure and report any suspicious activity, just as you would when working in the office.

  • If you are responsible for the IT for a company, ensure that you take lessons from the Zero trust model. Ensure that attackers cannot piggyback from remote workers into your secure network.

  • Design your software and network architecture using strong identity principles. If you use continual authentication and robust verification of identity you make it extremely difficult for an attacker to impersonate your workers even if they lose control of credentials.

Marc Rogers
Senior Director, Cybersecurity Strategy

Marc Rogers is the Senior Director of Cybersecurity at Okta. With a career that spans more than thirty years, he has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the Head of Security for Cloudflare and spent a decade managing security for the UK operator, Vodafone. He was a CISO in South Korea and co-founded a disruptive Bay Area startup. In his role as technical advisor on “Mr. Robot,” he helped create hacks for the show. And, as if that’s not enough, he also organizes the world’s largest hacking conference: DEF CON. In early 2020, Marc co-founded the CTI League, a global volunteer based organization that defends healthcare during the pandemic.