Published on April 8th, 2020 📆 | 3030 Views ⚑0
No surge in malicious attacks, just more COVID-19 lures
Microsoft says that the volume of malicious attacks hasn’t increased but, instead, threat actors have repurposed infrastructure used in previous attacks and rethemed attack campaigns to exploit fears surrounding the COVID-19 pandemic.
“Attackers don’t suddenly have more resources they’re diverting towards tricking users; instead, they’re pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click,” Microsoft 365 Security Corporate Vice President Rob Lefferts said.
“Once we click, they can infiltrate our inboxes, steal our credentials, share more malicious links with coworkers across collaboration tools, and lie in wait to steal information that will give them the biggest payout.”
The United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) have also issued a joint alert today about ongoing COVID-19 exploitation.
No surge attacks, just an influx of rethemed attack campaigns
Lefferts explains that Microsoft’s data clearly shows that attackers have just re-themed their previous campaign using COVID-19 lures to take advantage of the high-stress levels affecting potential victims during the SARS-CoV-2 outbreak.
This translates into malicious actors switching their bait and not into a surge of attacks as many previously believed after being flooded with COVID-19 themed attacks since the start of the outbreak.
“Our intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment,” Lefferts added.
Based on Microsoft’s telemetry, all countries have already been targeted by some type of pandemic-themed attack, with the US, China, and Russia having been the ones threat actors have focused most of their attacks.
Since these attacks have started, Microsoft has already spotted 76 threat variants abusing COVID-19 themed lures, with the Trickbot and Emotet malware families being very active and making use of such lure to exploit the outbreak.
Around 60,000 attacks out of millions of targeted messages feature COVID-19 related malicious attachments or URLs according to Microsoft, based on data collected from thousands of email phishing campaigns every week.
“In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses.”
“While that number sounds very large, it’s important to note that that is less than two percent of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear,” Lefferts explains.
Nation-state actors using COVID-19 lures in attacks targeting healthcare have also been spotted by Microsoft security researchers since the start of the pandemic.
Microsoft is sending notifications to dozens of hospitals affected by such attacks and about vulnerable exposed VPN devices and gateways on their networks.
Redmond shares news and guidance related to the pandemic on the company’s COVID-19 response page.
CISA and NCSC joint alert on COVID-19 exploitation
Both cybercriminal and advanced persistent threat (APT) groups are actively exploiting the COVID-19 global pandemic in attacks targeting individuals, small and medium enterprises, as well as government agencies and large organizations according to CISA and NCSC.
Furthermore, “both CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors,” the alert says.
“At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.”
Threats observed so far by CISA, NCSC, and the security industry at large include:
• Phishing, using the subject of coronavirus or COVID-19 as a lure,
• Malware distribution, using coronavirus- or COVID-19- themed lures,
• Registration of new domain names containing wording related to coronavirus or COVID-19, and
• Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.
Guidance to mitigate the risk posed by COVID-19 themed attack campaigns to organizations and individuals is available via the following CISA and NCSC resources: