Heighten your defences as threat actors move quickly to cash in on growing geographic, operational impact
Control Risks’ cyber security experts started identifying and alerting our clients to emerging cyber threats related to COVID-19 in late January, when we uncovered a phishing campaign targeting individuals looking to leave Wuhan (China). Since then, we have continued to closely monitor the evolution of cybercriminal campaigns leveraging anxiety over the outbreak.
Throughout February we identified multiple campaigns following the geographic spread of the virus, with phishing campaigns targeting individuals and organisations in countries such as Japan, the US and Italy. The outbreak’s expanding operational impact across industries and supply chains was similarly followed by more focused targeting of organisations perceived as vulnerable to secondary impacts, including in the manufacturing, finance, maritime, transport and pharmaceutical sectors.
While most of the early phishing campaigns leveraging coronavirus targeted individuals to steal credentials or commit financial fraud, the nature and purpose of such campaigns has evolved in parallel with the growing economic and business impacts. We are now seeing more advanced cybercriminal groups leveraging COVID-19-themed phishing campaigns as an access point for further attacks, such as stealing financial or other sensitive data, delivering spam campaigns or conducting distributed denial of service attacks, or to deliver secondary payloads such as ransomware.
While the majority of COVID-19-related cyber threats are driven by cybercriminal actors, Control Risks has also observed several state actors leverage pandemic-related social engineering lures, including emails purporting to come from the World Health Organization and related organisations such as China’s and Iran’s health ministries and the US State Department. These campaigns have focused primarily on companies and individuals in Eastern Europe, the Middle East and South-East Asia as state actors look to leverage the outbreak to spread malware to high-priority targets to enable espionage and data theft.
We expect cybercriminal and state threat actors to continue leveraging the growing geographical, operational and economic impacts of COVID-19 to target organisations across a range of sectors. The extensive reporting on COVID-19 and associated business disruption provides cybercriminal actors with intelligence to further tailor phishing campaigns.
In this way, criminals are adapting their methods to the rapidly changing circumstances that many organisations find themselves in, including the need to adjust working practices to maintain business continuity. Cybercriminals will likely seek to take advantage of this situation, being aware that many organisations do not have as robust defences for their remote workers as they do in office environments.
The rapidly evolving cyber threats related to COVID-19 require organisations to broaden their responses to effectively manage the threat. Typical defences against phishing often rely exclusively on users being able to spot phishing emails. Instead, organisations should widen their defences to include a combination of technical and non-technical measures. This will improve resilience against phishing attacks associated with COVID-19 without disrupting productivity.
- Additional access controls: Enforce multi-factor authentication (MFA) for users accessing the corporate network remotely. Enabling MFA creates an additional challenge for threat actors, reducing the likelihood of gaining unauthorised access to an account.
- Blacklist IPs: Maintain blacklists of known malicious IP addresses launching phishing attacks. Blacklists can be created using cyber threat intelligence, from known malicious IPs from previous security incidents and/or acquired from a third party.
- Email filtering: Install email filtering solutions to detect and block inbound spam and phishing. Strengthen existing email security gateways with a layered approach to filtering. This should review source, email headers and content (links/attachments). Macros should be blocked or their execution prevented when they come from external senders. Specifically configure rules to detect known indicators of compromise relating to the COVID-19 phishing campaigns.
- Prevent software installation: Prevent standard users from installing and executing unknown software to reduce the likelihood of malware infection from email as well as websites.
- Anti-spoofing controls: Enable Sender Policy Framework (SPF) on the email client to provide anti-spoofing and email verification. This should be enabled by default; however, IT administrators should check that the configuration is enforced. Enable Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) to minimise the risk of email spoofing.
- Phishing reporting: Implement a formal process for reporting suspicious emails to the IT team to contain and investigate, and improve anti-phishing and spam defences (i.e. maintain URL blacklisting).
- Raise awareness: Train employees to identify and report phishing, including variations such as smishing, whaling, spearphishing and pharming. Such training significantly reduces the risk of users opening malicious attachments or URLs and executing instructions on behalf of the attacker, i.e. payment to fraudulent bank accounts. In addition, phishing simulation campaigns can improve users’ awareness of the key characteristics of phishing emails, and the correct process with which to handle suspicious emails.
Control Risks’ analysis of how to secure systems to ensure business continuity in more detail.