The cyber threat landscape amidst Covid-19


Various threat actors – from script kiddies to state-sponsored hackers – are taking full advantage of Covid-19 through a variety of notable scams, including ransomware and phishing campaigns. Unsurprisingly, the combination of people spending more time online and their insecurity surrounding this pandemic has played right into the hands of cybercriminals. As long as Covid-19 precautions remain in place and permeate almost every aspect of our lives, we must continue to ramp up our cybersecurity precautions and remain on high alert for any suspicious activity.

My company, 4iQ, recently released their Covid-19 Threat Report, which examines the rise in cyber threats during the coronavirus and their impact on consumers and businesses worldwide. Throughout our research, we’ve observed trends related to the most common threats, the most active threat actors behind these attacks, and how this is all reflected on the deep and dark web.

The most common threats

Sextortion email scams, in which cybercriminals attempt to extort money from victims by threatening to reveal suggestive information, are on the rise. In one specific example we found, the email contained the victim’s supposed username and password, which may have been acquired through a data breach, and requested payment via bitcoin transfer in exchange for “dirty little secrets”. were not disclosed. The attack scheme took advantage of the Covid-19 crisis – the scammer claimed to have the ability to “infect [the victim’s] whole family with coronavirus.”

Fake news – misinformation or propaganda published under the guise of legitimate news – has also proliferated in the wake of the pandemic. We found messages promoting fraudulent products that “cure, treat or prevent Covid-19”. Similarly, conspiracy theories are rife: we have found social media campaigns claiming that Covid-19 is a hoax and spreading rumors about the origin of the pandemic. A fake news campaign claimed the Covid-19 virus had been stolen from a Canadian lab.

Although several prominent hacking groups have pledged to stop attacking healthcare organizations during the pandemic, not all threat actors have halted attacks on healthcare, particularly ransomware campaigns. Ransomware is a type of malware that prevents or restricts users from accessing their systems by locking either users’ screens or files until a ransom is paid. During this lockdown period, we detected a number of attacks, including: REvil/Sodinokibi, which actively exploits gateway and VPN vulnerabilities to gain a foothold in target organizations; Clop ransomware that only infects Microsoft Windows and encrypts the entire computer network instead of individual workstations; and Locky ransomware, which used a coronavirus bait to deliver a downloader to a target’s computer.

Another widespread attack method that we observed in our research was phishing campaigns. Cyber ​​criminals spoofed credible organizations like the World Health Organization (WHO) or the Centers for Disease Control and Prevention (CDC) to trick recipients into clicking on malicious links or attachments. Phishing emails are often easy to spot (e.g. bad grammar, threatening call to action, suspicious sender), but it’s easy to act out of hysteria and visit sites you wouldn’t otherwise visit in these uncertain times. At 4iQ, we’ve seen a significant increase in coronavirus-themed domains. These malicious websites often use terms related to protective gear, test kits, and vaccines.

The most active threat actors

Moving forward, in addition to understanding the nature of the attack, it is also important to understand who is behind the attack and what their motives are. We’ve broken down the most common threat actors into three categories: script kiddies, professional hackers, and government-sponsored hackers. Script kiddies are unskilled individuals who take advantage of existing malware. The creators of the MBRLocker malware, which has reportedly reappeared during this crisis, are believed to be script kiddies.

Sophisticated threat actors rely on phishing as the first attack vector. For example, some of these cybercriminals used WHO details, such as logos and images, to create fake-looking phishing emails. However, they redirected victims to a fake landing page to solicit usernames and passwords associated with the person’s email address. Ransomware gangs are also a significant threat to businesses. Maze and Doppelpaymer, two of the most well-known ransomware groups, have stated that they will avoid targeting healthcare organizations, but other professional hackers are still active and trying to wreak havoc.

Finally, state-sponsored hackers in China, Vietnam, North Korea and other countries are using this crisis to create phishing emails targeting officials and government employees with the aim of spreading malware. With the 2020 US presidential election just around the corner, we may see more activity from these nation-state threat actors.

The deep and dark web

We have seen a significant increase in the number of threads, items for sale and hacking information related to Covid-19 on deep and dark web forums. Coronavirus masks, tests and even “vaccines” are commonly sold items, with prices varying by market.

As more and more people stayed at home, there was a surge in downloaded social media applications, leading to a lot of activity on underground forums. In March 2020, TikTok was the most downloaded non-gaming app globally, followed by WhatsApp and Zoom. With millions of people working from home and relying on teleconferencing software, we analyzed various forum activity and uncovered a range of leaked Zoom application credentials, including email addresses, passwords, and usernames.

looking ahead

The bottom line is that cybercriminals will persistently capitalize on the Covid-19 pandemonium. Global companies are busy, juggling employee security with business continuity efforts and, in most cases, lost revenue, but we cannot neglect cybersecurity.

Encouragingly, a May 2020 report by LearnBonds found that nearly 70 percent of large organizations are planning to increase their cybersecurity spending due to Covid-19. Most importantly, individuals must remain vigilant for suspicious activity related to Covid-19 at this time. If you’re the recipient of a suspicious email, immediately alert your company’s security team and report it to the Anti-Phishing Working Group or the Federal Trade Commission. There are many resources that organizations and individuals can use to combat these threats. Cybercriminals don’t take a break, so neither can we.

Claire Umeda, Vice President, 4IQ (opens in new tab)


About Author

Comments are closed.