McAfee, CrowdStrike, Palo Alto Networks track evolving COVID-19 cyberattacks

As cyberattacks and threats continue to grow and mutate along with the COVID-19 pandemic, three security reports from CrowdStrike, McAfee, and Palo Alto Networks shine a spotlight and how these attacks are evolving — and they indicate that businesses aren’t as prepared to secure their now-remote workforce as they think.

CrowdStrike reported twice as many intrusions in the first quarter of 2020 compared to all of 2019. The security vendor’s new Work Security Index found that despite an increasing number of advanced cyberthreats surrounding COVID-19 — including a 10,000% increase in COVID-19 themed malicious files in the past month — business leaders believe their companies aren’t at a greater risk of suffering from a cyberattack and are not properly educating employees about emerging threats.

In fact, 89% of respondents believe their devices are secure against advanced cybersecurity threats while working from home. And 50% said they believe the likelihood of their business experiencing serious cybercrime is less or roughly the same than before COVID-19.

CrowdStrike Eyes COVID-19 Security

There are a couple reasons for this discrepancy, said Thomas Etheridge, CrowdStrike’s VP of services. “There’s a perception that the tempo at which businesses operate has slowed,” he explained. While in some cases that’s true, most companies’ business tempo has stayed the same of increased. “People are spending less time commuting to and from an office and it’s easier in some cases to connect via email or though Zoom or other types of video conferencing,” he explained. “So the tempo has been consistent if not, in some cases, gone up.”

Also, there’s a “general unawareness” of how employees access the company network, he added. While more than half (56%) of respondents globally are currently working from home more often because of the COVID-19 crisis, 60% are using their own personal devices, which likely do not have the same corporate security protections, the CrowdStrike report found. “Many of those devices don’t have the same protection and monitoring capabilities built in compared to corporate laptops and other machines,” Etheridge said.

Additionally, 53% of participants said their company has not provided any additional cybersecurity training on the risks associated with remote work.

Phishing Attacks Play on Pandemic Fears

Meanwhile, Etheridge said he and his security peers have seen triple-digit growth in the number of phishing attacks playing on people’s fears about the COVID-19 pandemic or promising new information or updates about the virus. “We’re seeing a tremendous volume of phishing campaigns, many of which are leveraging COVID-19 kind of themes in order to try to compromise endpoints,” he said.

Additionally, eCrime activity is on the uptick, both in terms of ransomware and malware attacks in general, but also in terms of techniques that cybercriminals use to access corporate networks and steal data. CrowdStrike has observed these types of COVID-19-themed campaigns in multiple languages, using multiple attachment types, and they have followed the path of the virus as it has moved around the globe.

McAfee Labs’ latest report highlights the last few months of pandemic-themed malware and security threats. Raj Samani, McAfee chief scientist and fellow, said his team first started seeing COVID-19 themed attacks in January. This included a phishing campaign with “COVID-19” in the attached document’s filename. Once users opened the attachment, they released malware onto their computer — a strain of the Ursnif banking Trojan that attackers use to steal usernames, passwords, and user behavior information.

McAfee Records Cybercriminals’ COVID-19 Pivots

“We started to see more spiked in March, and then toward the middle of March we began to see more volume,” Samani said. “A lot of it was more low-level fraud, and then we started to see more capable threat actors hiding amongst all of that noise. But the other part: it’s not just COVID-related because a lot of the threat actors are also pivoting. You’ve got the more indirect consequences of the pandemic, which is stimulus checks or being able to sign up with government systems to be able to get bailouts. So [threat actors] have been very quick on jumping on that as a vector.”

In late March, McAfee started seeing a phishing campaign that used the Small Business Administration’s loan program to lure people into opening it. It then downloaded the information-stealing Remcos remote access tool (RAT) malware onto their machines. Also in March, McAfee saw scam COVID-19 testing emails that prompted users to open a document, which would then download Trickbot malware.

Scam antibody research and testing phishing campaigns followed later in the month. And in April, McAfee saw the emergence of COVID-19 campaigns using subject lines such as “COVID-19 Urgent Precaution Measures” to distribute the NanoCore RAT malware, along with fake John Hopkins infection maps and bogus insurance invoices.

“And then you’ve got things that are more indirect as a consequence, so with more people using online streaming services to watch TV and videos,” that opens up another attack vector into users’ networks, Samani said. “It’s been really broad, and it’s not just malware, it’s not just fraud. There’s also misinformation.”

At this point in the pandemic, everyone from low-level hackers to nation-states and organized criminals has found a way to use COVID-19 and its consequences to steal money or private data or spread chaos. “It’s like all of the various different forces have come out said, ‘oh yeah we’ll do COVID,’” Samani said.

He expects the attackers to continue to pivot as the virus evolves and new consequences — such as skyrocketing unemployment — emerge. “The one thing that you can say about criminals is that they know what buttons to push in order to be able to carry out their attacks,” Samani said.

Palo Alto Networks Tracks Cloud Threat Landscape

Meanwhile, Palo Alto Networks’ Unit 42 threat researchers analyzed 1.2 million newly registered domain names containing keywords related to the COVID-19 pandemic between March 9 and April 26. And they found more than 86,600 of these domains are classified as “risky” or “malicious.” The United States has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456).

And earlier today, Unit 42 published additional research that indicates public cloud infrastructure has communicated with domains known to distribute COVID-19 themed malware.

“We are seeing both an increase in attacks, but we’re also seeing the subject being used so broadly, so globally,” said Jen Miller-Osborn, deputy director of threat intelligence for Unit 42. “Events of this sort of level don’t happen all of the time. And this isn’t a problem for just bigger organizations being targeted, or one particular vertical or industry. This is being abused globally. This is affecting everyone on the internet.”

Miller-Osborn said Unit 42 expects these COVID-19 related attacks and malicious domains to become the norm, similar to tax season-related threats that crop up every spring. “Until people are no longer interested in it,” she said. “And I think that’s quite a ways away.”

Security vendors, including Palo Alto Networks, sell endpoint security and continuous threat monitoring products that automatically prevent employees from visiting these types of risky domains. But in addition to employing security tools, these attacks emphasize the need to educate employees about cloud-based threats similar to training employees not to click on unknown files that could be phishing campaigns.

“It really highlights that this is a very large and widespread problem that is affecting everyone, so people need to be more aware of what they are clicking on and the source of what they are looking at,” Miller-Osborn said. “Take that step back — do I know this person? Does this email look normal? Do a little checking on the domain a bit to avoid being scammed.”

―SDX Central