FortiGuard Labs Perspectives
Over the past several weeks, the FortiGuard Labs team has been monitoring a significant spike in coronavirus and COVID-19 related threats. Significant social events are usually a catalyst for new threats to emerge – there are always evil people looking to exploit others during times of crisis – and the current situation is no different. Cybercriminals understand that times of rapid transition can cause serious disruptions for organizations. In the rush to ensure business continuity, things like security protocols can get overlooked, and criminals are looking to take advantage of any inadvertent security gaps.
While this sort of response to the current crisis is not unexpected, what is surprising is the volume of new threats we are seeing in such a short period of time. Trolling the Dark Web looking for new criminal trends, themes, and malware reveals an alarming number of advertisements pitching pandemic-related scams, such as offers to provide Chloroquine and other medicines and medical devices, all preying on fears about the current pandemic.
We have also seen an enormous spike in coronavirus-related scams – money scams, shared riding service scams, money transfer scams, credit card scams, and even scam kits designed for novice cybercriminals known as script kiddies.
An unprecedented number of unprotected users and devices are now all online at the same time. In any home, right now, there are likely one or two people connecting remotely to work through the home internet connection. There may also be kids at home engaged in remote learning part of the time and connected to their friends the rest. And the entire family is engaged in multi-player games, talking with their friends in online chat rooms and over social media, as well as streaming music and video.
It’s a perfect storm of opportunity for cybercriminals.
As a result, the FortiGuard Labs team is seeing an average of about 600 new phishing campaigns per day. Their content is designed to either prey on the fears and concerns of individuals, take advantage of new circumstances, or pretend to provide essential information. These phishing attacks range from scams related to helping individuals deposit their stimulus checks, to providing access to hard to find medical supplies, to providing helpdesk support for new teleworkers.
This first tier of threats is designed to take advantage of people who are either concerned or sitting at home with nothing to do. In addition to online scams targeted at adults, some phishing attacks target kid’s computers and gaming systems with offers of online games and free movies, or even access to credit cards to buy online games or shop online stores. Multiple sites are illegally streaming Hollywood movies still in theatres, but also secretly distributing malware to anyone who logs on. Free game, free movie, and the attacker is on your network.
While these attacks start with a phishing attack, their end goal is to steal personal information or even target businesses through their new teleworkers. Which is why the majority of these phishing attacks contain malicious payloads – including ransomware, viruses, remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, and even RDP (remote desktop protocol) exploits.
Making matters worse, not every organization was able to procure enough laptops for every employee who now needs to work remotely. As a result, many teleworkers are using their personal devices to connect into the corporate network. And those devices are not only being use for things like social media, shopping, and streaming entertainment, they are also generally far less protected by desktop security and endpoint protection solutions, which means they are far more vulnerable to the malware being pushed by these phishing attacks.
And these devices don’t even need to be attacked directly. Because they are all connected to the home network, attackers have multiple avenues of attack that can be exploited – including other computers, tablets, gaming and entertainment systems, and even online IoT devices such as digital cameras, smart appliances, and smart home tools such as doorbells, alarm systems climate control devices and smart lighting – with the ultimate goal of finding a way back into a corporate or school network and its valuable digital resources.
If the device of a remote worker can be compromised, it can become a conduit back into the organization’s core network, enabling the spread of malware to other remote workers. The resulting business disruption can be just as effective as ransomware targeting internal network systems at taking a business offline. Since helpdesks are now remote, devices infected with ransomware or a virus can incapacitate workers for days while devices are mailed in for reimaging.
To that point, we have seen a significant rise in viruses, many of which are included in these malicious phishing attachments. During the first quarter of 2020, for example, we have documented a 17% increase in viruses for January, a 52% increase for February, and an alarming 131% increase for March compared to the same months in 2019.
Interestingly, we have also seen a reduction in more traditional attack methods. During the first quarter, for example, we have seen a reduction of botnets per month of -66%, -65%, and -44% compared to the same time period in 2019. Likewise, IPS-based triggers have also dropped by -71% in January and -58% in March compared to 2019, with a slight uptick in February of 29%. This seems to indicate that cybercriminals are adjusting their attack strategies in order to take advantage of the current crisis.
It is essential that organizations take measures to protect their remote workers and help them secure their devices and home networks. Consider adopting the same strategy for cyber viruses that we are adopting in the real world. Cyber social distancing is all about recognizing risks and keep our distance. Here are a few critical steps to consider:
Organizations are in a hurry to move to a remote worker model to maintain business continuity are likely to make mistakes that criminals will exploit. Knowing the risks is a critical first step. The next step, and often the hardest, is doing something about it. With operational and business continuity so critical, this is not a challenge that can be safely put off. Cybercriminals are all too willing and able to take advantage of this crisis for their personal gain.