sb-as logo
Story image

80% of cyber threat landscape uses COVID-19 as leverage - report

COVID-19 has captured the world’s attention on an unprecedented scale, and there’s hardly an industry or sector that hasn’t been affected in some way by the rapid global spread of the pandemic.

Proofpoint, specialises in email fraud security, last week released a report outlining the extent to which the coronavirus can drastically change an industry: 80% of the overall threat landscape is using the virus as a theme in their attacks.

This includes attacks that don’t outright mention coronavirus in the subject or body of a message but instead reference it within attachments, links or lures.

Since January 29, when the cybersecurity company first started tracking malicious activity associated with COVID-19, Proofpoint has recorded 500,000 messages, 300,000 malicious URLs, and 200,000 malicious attachments with coronavirus themes across more than 140 campaigns.

Instances of the attacks are rising as the crisis worsens – as fear and panic grow within the general public, attackers become emboldened and take advantage of a once-in-a-century crisis to wreak havoc on security systems. 

Nearly every type of established cyber attack has been used with coronavirus themes, including business email compromise (BEC), credential phishing, malware, and spam email campaigns. 

The most popular and effective attack is credential phishing. The threat actors behind these attacks run from small unknown actors to prominent threat actors like TA542 (the group behind Emotet).

Here are some examples of each attack using COVID-19 as leverage to breach security:

Credential phishing -  ‘COVID-19 Infected Our Staff’

A relatively small campaign in the US, one credential phishing attack uses a company-wide email to target retail companies and uses concerns about infected staff members to try and lure victims to click, leading to Microsoft Office credential phishing.

The lure – ‘COVID-19 Infected Our Staff’ as the subject line – hooks the reader and leads to the body, which claims ‘a staff member of our company has contracted this deadly disease (COVID-19)’.

The email then encourages the recipient to open/download a malicious attachment titled ‘follow the company’s new protocol.’ The malicious attachment links to a webpage that spoofs the Microsoft Office login and asks the user for their credentials.

Malware – ‘Your Neighbors Tested Positive’

Another smaller campaign in the US, this one targets energy, construction and telcos with an email using the subject line ‘coronavirus update disease (COVID-19) your neighbors tested positive’.

Using the heightened paranoia that comes with such a highly infectious disease, the campaign encourages readers to open a malicious attachment named ‘receipt.xlsm’ which uses macros to download the Remcos remote control tool. 

Malware - GuLoader/Agent Tesla with WHO “Solution” for COVID-19

This malware campaign targets manufacturing, construction, transport, healthcare, automotive, energy and aerospace using the GuLoader and Agent Tesla tools.

The email spoofs the real address of the head of the World Health Organisation (WHO), claims there is a ‘solution’ for ‘total control’ and asks the recipient to ‘share with all contacts.’

As is common with many email cyber attacks impersonating a reputable source or organisation, grammatical mistakes are the most glaring clues hinting at malicious intent.

The subject – ‘Breaking!!! COVID-19 Solution Announced by WHO At Last As a total control method is discovered’ – features an overuse of exclamation marks and an abrupt shift from capitalising every word to not. Official emails from a United Nations agency would not look like this.

The malware contained in the attachment contains GuLoader compressed in .iso format. 

If the recipient opens and runs the attachment, GuLoader installs Agent Tesla, a Trojan written in Visual Basic that can steal usernames, passwords, and credit card information from the user’s system.

Story image
Thycotic launches DevOps Secrets Vault solution for greater cloud security
“DevOps Secrets Vault is a cloud-based vault that balances the security and velocity that DevOps teams require for this growing part of the enterprise attack surface."More
Story image
Interview: Thriving in lockdown - how a coding school in Vietnam beat the odds
It's March 10 2020, and CoderSchool in Ho Chi Minh just went entirely online. A success story followed - here's how a lockdown helped a school thrive.More
Story image
Rise in cyberattacks targeting the cloud as use of collaboration tools increase
“While we are seeing a tremendous amount of courage and global goodwill to overcome the COVID-19 pandemic, we also are unfortunately seeing an increase in bad actors looking to exploit the sudden uptick in cloud adoption."More
Story image
Endace and Palo Alto Networks launch integration to empower security teams
“The combination of Cortex XSOAR’s powerful orchestration and automation capabilities with the rich network history recorded by the EndaceProbe Analytics Platform gives security operations access to the conclusive forensic evidence they need to respond quickly and accurately to threats.” More
Story image
CrowdStrike and ExtraHop partner up to bolster cloud threat detection
The companies say the partnership will marry network visibility, machine learning (ML) behavioural threat detection and decryption of SSL/TLS sessions.More
Story image
Zscaler buys Edgewise, with its sight set on zero-trust
The acquisition indicates Zscaler's path towards improving the security of east-west communication, as well as its quest to achieve a zero-trust environment.More