By Douglas Jose Pereira dos Santos and Jonas Walker | June 03, 2020
It’s not news that cybercriminals leverage panic, doubt, and sometimes even go a step further and do recon on a target before crafting that enticing and urgent email, all in the hopes of increasing the possibility that a victim will open an email and fall prey to their efforts.
But how are the COVID-19 attacks being delivered? What types of malware are being deployed, and with what objective? We recently sat digitally with two FortiGuard Labs threat researchers involved in the response of some of these malicious campaigns to hear their perspective about these attacks.
From the attacks that you have seen recently, which components are being leveraged and why?
Jonas: From a social engineering point of view, I can say that the panic component is being maximized, especially now with all of these campaigns related to COVID-19 targeting hospitals, manufacturers of medical equipment, and health insurance companies. They leverage the fact that there is a shortage of medical equipment and supplies and use this as an advantage.
Douglas: These campaigns are increasingly gaining traction as there is misinformation and fear around the world concerning the pandemic, and this is being exploited by cybercriminals. More than ever, due-diligence can’t be stressed enough, especially if an email or other communication seems to be something urgent and/or from untrusted sources. I know that some may argue that being extra cautious is counterproductive. Still, I think that nothing is more counterproductive or destructive than having your entire company brought down because someone didn’t double-check before clicking on a file.
How do most of these attacks start, and what are they exploiting exactly?
Jonas: Most of these attacks are being delivered via email, so typically they are mass spam campaigns. However, we are also seeing some are very targeted attacks, along with some accidental and planned DDoS attacks as well. Of course, DDoS can be directly caused by attackers, or simply by the sheer volume of use that this new scenario has generated. On top of that, now that everyone is connected most of the time with remote work and videoconferencing, along with video streaming, browsing and online shopping, or playing online games, many infrastructures were not prepared to receive this new wave of demand. On top of this, email-based threats are exploiting the sense of urgency and panic around the pandemic, often masquerading as government health organizations, NGOs, or suppliers of medical equipment.
Douglas: Keep this in mind. If an email suddenly shows up appearing to offer something that will “save a vital organizational problem,” it could very likely be a cybercriminal scheme.
What are the most common threats that we are seeing leveraging COVID-19 themes?
Jonas: The goals of these email threats carry is to deliver malware to a system, which in the case of these campaigns using COVID-19 themes are mostly info-stealers, ransomware, and RATs (A Remote Access Trojan is a type of malware that allows hackers to monitor and control a computer or network.) We believe that in times like these, where there are a lot of people tapping into their savings and bitcoins and actively engaged in online e-commerce, that cybercriminals want to leverage this trend to increase their chances of stealing credentials.
Douglas: Yes, that is a logical conclusion to be drawn from info-stealers. For the ransomware threats, which are mostly being targeted at critical infrastructures, they are leveraging the fact that during critical times critical infrastructures are even more important, and that a company that is targeted is more likely to pay a ransom in the hopes of getting their infrastructure up and running. This was true before the pandemic, but we are now seeing an uptick in ransomware detections around critical infrastructure.
Are there any new techniques or tricks that attackers are using to spread these attacks and how sophisticated are these attacks?
Douglas: Not particularly new, but they are still sophisticated. Many feature several obfuscations and anti-VM, anti-analysis and anti-debugging techniques. These multi-stage attacks are generally delivered by malicious macros loaded into documents, but some of them are straight executables that, when decompiled or executed, will reveal an AutoIT script (a well-known packer that is used as an anti-AV trick).
After this, the normal virus lifecycle continues. These threats look for a legitimate system process to live in momentarily (process injection), and thy then continue carrying on the attack by downloading another malicious executable hosted in common file-sharing services.
Jonas: Yes, they leverage very well-known advanced attack techniques and layers of obfuscation, which points to threat actors that have a decent capability of breaking into networks, and they should be treated as such. In times like these, highly advanced threat actors will leverage the fact that people are even more fearful and anxious, combined with organizations that have had to rapidly retool their networks to support remote workers, which they know often leads to some relaxed cyber hygiene practices.
Have we seen any new vulnerabilities in these attacks?
Douglas: So far, all the attacks we have seen are leveraging known techniques and are mostly propagated through user negligence, as well as a lack of proper security measures such as internal segmentation, EDR, sandboxing, email security, and proper access control.
Is any industry or region more heavily targeted and why?
Jonas: Countries that have been heavily hit by the pandemic seem to be the most likely targets. As expected, industries involved in the immediate response to the pandemic are targets as well – especially if those companies operate in a country that has been hit hard by the pandemic. Critical services, such as gas, oil, and power plants, have also seen a share of these attacks.
What can organizations and individuals do to protect themselves?
Douglas: Organizations should focus their efforts on cybersecurity user awareness training, as well as creating and maintaining a cybersecurity mindset throughout the company in every process and interaction, whether personal or corporate. Having a robust email security solution with a sandbox can also stop these threats at the network perimeter. Not allowing these phishing emails to propagate and reach the user’s email inboxes in the first place is ideal. Now that many organizations have settled into their new remote worker environment, it’s time to go back through all of the changes that were made to close any security gaps that may have been introduced.