Hackers see opportunity in crisis: how should you respond?

Cyberthreats and attacks on enterprises increased markedly during the COVID-19 emergency. Malicious actors took advantage of frightened users and unprepared administrators to refocus cyberattacks, even against those tackling the crisis directly.

All kinds of attacks have ramped up since the world went into COVID-19-enforced lockdown. A major car manufacturer was the victim of a massive attack, which impacted its operations, disrupting access to servers, email and other internal systems. Orange Cyberdefense is Orange Group’s dedicated, expert security business unit, and our UK team is typically accustomed to dealing with an average of one Pulse Secure VPN engagement per month; As of March 23, 2020, we had responded to six, as the COVID-19-powered increase in cyberattacks ramped up. Orange Cyberdefense also found that during the week of March 26, approximately 8,900 new DNS domains related to the terms “corona-virus,” “covid-19” and “ncov” were registered – more than double when compared to the previous week – and the number of emails validated as malicious was four times higher than the previous week.

The University of Cambridge tracked a three-fold increase in direct denial of service (DDoS) attacks, driven to some extent by a new wave of amateur cybercriminals and access to inexpensive cybercrime tool kits. “Anxiety over serious economic problems such as job losses and business closures may be prompting some people to step up existing harmful online activity as a means of generating income,” said Dr. Ben Collier of Cambridge Cybercrime Centre.

Both Interpol and Europol have warned of huge spikes in COVID-19-related fraud. In mid-April, Google reported that in just one week, it had seen over 18 million daily malware and phishing emails related to COVID-19 scams being sent via Gmail alone; and that on top of the 240 million daily COVID-19-related spam messages Google tracked.

“The thing about the crisis that’s most significant from a cybersecurity perspective is the whole switch to working from home and an accelerated adoption of the cloud. In March, we released a paper titled COVID-19: A biological hazard goes digital, about the impact of the COVID-19 crisis on cybercrime, and at that time, around one-third of the world was working from home. It was a significant shift, and many companies around the world, large and small, were suddenly forced to adapt to this new reality and protect users who were connecting from less secure environments.”

Charl van der Walt, Head of Security Research at Orange Cyberdefense

The vicious circle

The enforced working from home of millions of people, plus the increase in cyberattacks by malicious actors, created a vicious circle: more threats and more attacks on more endpoints and more people in more vulnerable environments. During the crisis, many workers have been relying on unsecured computer systems, mobile devices and remote connectivity to corporate networks to do their work and keep companies up and running.

Malicious actors have been exploiting the overall vulnerabilities of the situation to their advantage, with attacks like phishing campaigns and malware distribution through apparently genuine websites or documents providing information or advice on COVID-19 being used to infect computers and obtain user credentials. The World Health Organization (WHO) has reported a five-fold increase in attacks on its staff. Fraud schemes have tricked people into buying items like facemasks, hand sanitizer, and fake medicines claiming to prevent or cure COVID-19. And on it goes.

How have IT teams responded?

The threat landscape on the back of COVID-19 has changed noticeably. “On top of the increased level of threats, the level of vulnerability is a thing, too. The home is less secure, and IT security teams were having to deal with this while working in constrained circumstances themselves,” says Charl van der Walt.

“It’s clear that attackers have pivoted because of the nature of the situation we are in. Phishing emails using COVID-19, fake tracking apps, remote access as a target, particular kinds of organizations and systems are targets, particularly if they are involved with the crisis directly,” continues Charl van der Walt. “Attackers are leveraging the crisis as an opportunity to vary their tactics, but at the same time, I think IT teams have reacted well. There hasn’t been much sign of effective cybercrime increasing, despite the massive increase in the number of attacks. Indeed, there are signs that the use of COVID as a premise or lure is settling down into a small but consistent portion of the overall volume of malicious activity. I think that businesses are overall carrying on as usual, and IT security teams are doing a good job. The challenge now has less to do with what the attacker is doing, but how IT and security teams adapt to the ‘new normal’ of rapid business transformation, large-scale work from home and accelerated cloud adoption.”

What should you do?

Orange Cyberdefense research found that during the COVID-19 lockdown, employees are more vulnerable to social engineering and scams than usual. Meanwhile, enterprises have less control and visibility of the IT systems they must protect. Users may be connecting from insecure systems, and enterprises might have rushed to implement remote access systems too quickly. While this is happening, cyberdefense teams may have been operating with diminished capacity.

Some useful tips include:

  1. Establish emergency response procedures and systems
  2. Establish a security support hotline and prepare to expand the team providing support
  3. Review your backup and disaster recovery (DR)
  4. Equip your users with the information they need to make good security decisions
  5. Provide secure remote access
  6. Establish visibility over as many of your remote endpoints as possible
 

Working from home is very likely here to stay, so it is advisable to treat it as a discipline and approach it formally. As with cybersecurity within the enterprise, there are steps you can take to minimize risk and mitigate threats.

And overall, remain rational. It is a time of heightened threat but only marginally increased vulnerability. And your vulnerability is something you can control by following sensible steps.

For more information, listen to the recent Orange Cyberdefense webinar discussing the latest in cybersecurity response to COVID-19.