In our previous stories, you might have already read about various campaigns warning how threat actors are capitalizing on the ongoing coronavirus pandemic in an attempt to infect your computers and mobile devices with malware or scam you out of your money.
Unfortunately, to some extent, it’s working, and that’s because the attack surface is changing and expanding rapidly as many organizations and business tasks are going digital without much preparation, exposing themselves to more potential threats.
Most of the recent cyberattacks are primarily exploiting the fears around the COVID-19 outbreak—fueled by disinformation and fake news—to distribute malware via Google Play apps, malicious links and attachments, and execute ransomware attacks.
Here, we took a look at some of the wide range of unseen threats rising in the digital space, powered by coronavirus-themed lures that cybercriminals are using for espionage and commercial gain.
The latest development adds to a long list of cyberattacks against hospitals and testing centers, and phishing campaigns that aim to profit off the global health concern.
Coronavirus-themed Digital Threats
“Every country in the world has seen at least one COVID-19 themed attack,” said Rob Lefferts, corporate vice president for Microsoft 365 Security. These attacks, however, account for less than 2% of all attacks analyzed by Microsoft on a daily basis.
“Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic,” Lefferts added. “This means we’re seeing a changing of lures, not a surge in attacks.”
1 — Mobile Malware
Check Point Research uncovered at least 16 different mobile apps, which claimed to offer information related to the outbreak but instead contained malware, including adware (Hiddad) and banker Trojans (Cerberus), that stole users’ personal information or generated fraudulent revenues from premium-rate services.
“Skilled threat actors are exploiting people’s concerns about coronavirus to spread mobile malware, including Mobile Remote Access Trojans (MRATs), banker trojans, and premium dialers, via apps which claim to offer Coronavirus-related information and help for users,” Check Point Research said in a report shared with The Hacker News.
All the 16 apps in question were discovered on newly created coronavirus-related domains, which have seen a huge spike over the past few weeks.
2 — Email Phishing
In a separate report published today and shared with The Hacker News, cybersecurity firm Group-IB claims to have found that most COVOD-19 related phishing emails came with AgentTesla (45%), NetWire (30%), and LokiBot (8%) embedded as attachments, thereby allowing the attacker to steal personal and financial data.
The emails, which were sent between February 13 and April 1, 2020, masqueraded as health advisories from the World Health Organization, UNICEF, and other international agencies and companies such as Maersk, Pekos Valves, and CISCO.
3 — Discounted off-the-shelf Malware
Group-IB’s research also found more than 500 posts on underground forums where users offered coronavirus discounts and promotional codes on DDoS, spamming, and other malware services.
This is consistent with Check Point Research’s earlier findings of hackers promoting their exploit tools on the darknet with ‘COVID19’ or ‘coronavirus’ as discount codes.
4 — SMS Phishing
The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) also issued a joint advisory about fake SMS messages from senders such as “COVID” and “UKGOV” which contain a link to phishing sites.
“In addition to SMS, possible channels include WhatsApp and other messaging services,” CISA cautioned.
5 — Face Mask and Hand Sanitizer Scams
Europol recently arrested a 39-year-old man from Singapore for allegedly attempting to launder cash generated from a business email scam (BEC) by posing as a legitimate company that advertised the fast delivery of FFP2 surgical masks and hand sanitizers.
An unnamed pharmaceutical company, based in Europe, was defrauded out of €6.64 million after the items were never delivered, and the supplier became uncontactable. Europol had previously seized €13 million in potentially dangerous drugs as part of a counterfeit medicine trafficking operation.
6 — Malicious Software
As people increasingly work from home and online communication platforms such as Zoom and Microsoft Teams become crucial, threat actors are sending phishing emails that include malicious files with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” in a bid to trick people into downloading malware on their devices.
7 — Ransomware Attacks
The International Criminal Police Organization (Interpol) warned member countries that cybercriminals are attempting to target major hospitals and other institutions on the front lines of the fight against COVID-19 with ransomware.
“Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid,” Interpol said.
Protecting Yourself from Coronavirus Threats Online
“Malicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception,” CISA said.
“Malicious cyber actors are using the high appetite for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant.”
The NCSC has offered guidance on what to look out for when opening coronavirus-themed emails and text messages that contain links to such fake websites.
In general, avoid clicking on links in unsolicited emails and be wary of email attachments, and do not make meetings public and ensure they are protected by passwords to prevent videoconferencing hijacking.
A running list of malicious websites and email addresses can be accessed here. For more tips on how to protect yourself from COVID-19 related threats, you can read CISA’s advisory here.