COVID-19 changed the rules of the game virtually overnight. The news has covered the broader impacts of the pandemic, particularly the hit to our healthcare, the drops in our economy, and the changes in education.
But when a massive portion of our workforce was sent home, and companies moved operations online, no one thought about how vulnerable to cyberattacks those companies had now become. The attack surface had changed, giving malicious actors new inroads that no one had previously watched out for.
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
COVID may have changed the rules, but the game is still on. Despite the security threat, this pandemic may have caused a massive opportunity for companies — if they’re willing to take it.
WFH isn’t new, but WFH suddenly, at scale, is
The attack surface changed — and so did the rules of the game.
A work-from-home world isn’t a new thing. Slow transitions to remote workplaces have become more of a norm, though pushes for all-remote workplaces come in cycles. In the past five to ten years, despite the rise of flexible work options and global teams, work still happened mainly in an office.
What is new is a massive amount of the workforce shifting to remote work nearly overnight. Suddenly, the internet became a company’s network—thousands of employees turned into thousands of individual offices. Secured networks were traded in for home Wi-Fi, and gaps and holes in an organization’s attack surface were introduced where they didn’t exist before.
That shift suddenly exposed vulnerabilities in the system, like older systems that were never updated, internet assets that were forgotten, and patches that never happened. These weak links are all the invitation a malicious adversary needs.
Rogue threats—web infrastructure created by criminals—changed, too. Phishing schemes suddenly took a new approach in the form of “COVID lures”: emails and ads that lead to questionable websites providing cure-alls for the virus, taking advantage of people’s increased fear and anxiety.
Attackers realized they had another advantage: employees responsible for diagnosing and fixing these kinds of security issues are now preoccupied with supporting family, supervising their kids’ remote education, or working long hours to cover other cuts. In other words, some of our players were benched.
Combine this easier access to enterprise systems with the increased willingness to hand over information and a drop in vigilance, and you can see how this all became a new kind of game. The good news is that although malicious actors seeking ways into these exposed systems are adapting, a company can adapt as well.
Going on the offensive
Companies can’t afford large-scale cyberattacks at any time, but especially right now. The pandemic has caused consumers who may have lost significant income to be picky with their purchases and investments. Companies need to be focused on retaining customer relationships so that they’ll weather the pandemic, and a take-down of the network could undercut customer trust in unrecoverable ways.
But many companies won’t take action. They may view their older systems as good enough to ride the wave to the other side of the pandemic, and once there, they’ll go back to what they had used before, unprepared for the next attack. They may get through, but nothing will have changed — things will not go back to how they were, and you will no longer be able to rely on systems that protected a pre-COVID world.
Now, there’s an opportunity to huddle up, form a new strategy, and go on the offensive. The pandemic can be an opportunity for businesses to take a look at their vulnerabilities, map their attack surface, and take appropriate actions to secure and strengthen their systems. We’ve seen this after other catastrophic events, such as after 9/11, when companies adopted new resiliency plans for any future recovery events. Companies have the same opportunity now.
Here are some things a company can do to ensure their systems are secure, even if they’ve been running a remote workforce for a while.
Invest in security teams
Companies who understand the value of keeping their systems secure and taking initiatives against potential leaks will want to invest in cybersecurity. Shore up the team and make new hires if needed. Overall, companies have been supportive of their security teams during this time, but if security isn’t a priority, make it one.
Map the attack surface
The quick move to remote work probably meant a fast rollout of new initiatives and quickly standing up new equipment, which means mistakes are the leading cause of a breach. Do an audit of your attack surface to uncover hidden failures and where older systems, forgotten assets, or unpatched issues are creating vulnerabilities.
Ask questions about what changed: What programs were canceled or altered? How are resources shifting around? Can new assets be secured before they roll out? Also, do some threat modeling with your team. Ask what a threat actor would do to attack your systems, or where they would gain a foothold. In other words, anticipate the opposing team’s next move.
Even the best companies miss something, but the more you can anticipate, the better. Then prepare a response plan for investigating attacks quickly, develop a triage system, create a playbook, and run drills so your players know their roles.
Update the old and roll out the new
Now that you’re learning the new rules of the game, can visualize the playing field and anticipate the opposing team’s next move, it’s time to act. Update older systems or trade them in for new ones. Patch security holes. Shrink the attack surface. Roll out new digital initiatives you might have been sitting on.
Finally, create that mobile app. Move to the cloud. Find new digital ways to engage with your customers, since it may be a while before in-store foot traffic returns. As you do this, you may come to realize that your systems were set up in such a way that you need to start over. In that case, do it. Now’s the time.
Support your team
Above all, make sure you have the right team in place, and take care of them. Get them the resources and information they need as they audit, patch, and put new protocols in place for the future.
Communicate with both them and your leadership team to keep everyone informed, and if you think you’re too busy, communicate even more like teammates would on the field. Hedge against burnout. Above all, give your team the time and space they need to find the holes and make the fixes.
Live to play another day
In many ways, this shift to digital has been in progress for a long time. However, because it was never a necessity, the transformation lagged or stalled from a lack of resources and was moved down the priorities list. But today we see stalled-out initiatives finally being implemented. The plans have been in place, and COVID is now forcing us to get it done.
Cybercrime costs organizations $24.7, YOY increase of more than $2 every minute, a RiskIQ report reveals. It will also have a per-minute global cost of $11.4 million by 2021, a 100% increase over 2015.
The report covers the top threats facing today’s organizations, which are proliferating at a clip of 375 per minute, and reflects the current surge in attacks leveraging the COVID-19 pandemic.
Other malicious activity
- 1.5 attacks on computers with an Internet connection per minute
- 375 new threats per minute
- 16,172 records compromised per minute
- 1 vulnerability disclosed every 24 minutes
- 5.5 vomain infringements detected per minute
- 1 Magecart attack every 16 minutes
- 1 COVID-19 blacklisted domain every 15 minutes
- 35 COVID-19 spam emails analyzed per minute
“The sheer scale of today’s threat activity is driven by a variety of factors, including that cybercrime is easier than ever to participate in and better threat technology makes cybercriminals more effective and wealthier than in the past,” said Lou Manousos, CEO, RiskIQ.
Commonly used tactics
Tactics covered in the report range from phishing to domain infringement to supply chain attacks that target e-commerce, like the Magecart hacks that have increased by 30% since the COVID-19 outbreak began. The motives of cybercriminals include monetary gain, large-scale reputational damage, political motivations, and espionage.
“These stats show threat activity is widespread, but also show the power of threat intelligence in defending the enterprise,” Manousos said.
“More knowledge, greater awareness, and an increased effort to implement necessary security controls make a huge difference in stopping these threat actors in their tracks.”
RiskIQ released a research report revealing a large-scale digital scam advertisement campaign spread through fraudulent news sites and affiliate ad networks that cater to highly partisan audiences.
Scammers are taking advantage of COVID-19 to spread fake news
The report details how misleading, false, and inflammatory news stories about the COVID-19 pandemic are developed on a massive scale by “content farms,” which monetize through ads served by ad networks targeting highly partisan readership. Some of these ads are purpose-built to lure readers into misleading ‘subscription traps’ for products billed as remedies or cures for the virus.
How does a subscription trap work?
A subscription trap works by offering a free or deeply discounted trial of a product while hiding clauses in the terms of service that sign victims up for costly payments remitted on a repeated basis, usually monthly. These subscriptions are often difficult, if not impossible, to escape.
The report clearly defines an ecosystem between partisan content farms that monetize through ad revenue, ad networks that take a cut of the profit, and advertisers that use the generated traffic to ensnare victims in subscription traps. These traps fraudulent subscriptions are for products such as dietary supplements or beauty products, and more recently, supposed remedies to COVID-19 in the form of CBD oil.
“Scam ads leading to subscription traps seem to be endemic to content farm sites, but there’s a particular network of companies and individuals using the COVID-19 pandemic for financial gain,” said Jordan Herman, threat researcher, RiskIQ.
“We wanted to do a deep dive into this ecosystem to expose how these shady practices are taking advantage of people on a massive scale and making the schemers a lot of money in the process.”
Leveraging fear, anxiety, and uncertainty around COVID-19
These content farms generate traffic by creating politically charged articles leveraging the fear, anxiety, and uncertainty around COVID-19 and gearing them toward a specific audience. These articles, often misleading or patently false, target readers the creators have assessed will likely read, share, and engage with them.
The content farm operators publish these articles on their websites, which use social media accounts and spam email campaigns to further their reach and generate more traffic they can monetize.
Twilio has confirmed that, for 8 or so hours on July 19, a malicious version of their TaskRouter JS SDK was being served from their one of their AWS S3 buckets.
“Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” the company shared.
Who’s behind the attack?
Twilio is a cloud communications platform as a service (CPaaS) company, which provides web service APIs developers can use to add messaging, voice, and video in their web and mobile applications.
“The TaskRouter JS SDK is a library that allows customers to easily interact with Twilio TaskRouter, which provides an attribute-based routing engine that routes tasks to agents or processes,” Twilio explained.
The misconfigured AWS S3 bucket, which is used to serve public content from the domain twiliocdn.com, hosts copies of other SDKs, but only the TaskRouter SDK had been modified.
The misconfiguration allowed anybody on the Internet to read and write to the S3 bucket, and the opportunity was seized by the attacker(s).
“We do not believe this was an attack targeted at Twilio or any of our customers,” the company opined.
Jordan Herman, Threat Researcher at RiskIQ, which detailed previous threat campaigns that used the same malicious traffic redirector, told Help Net Security that because of how easy misconfigured Amazon S3 buckets are to find and the level of access they grant attackers, they are seeing attacks like this happening at an alarming rate.
Om Moolchandani, co-founder and CTO at code to cloud security company Accurics, noted that there are many similarities between waterhole attacks and the Twilio incident.
“Taking over a cloud hosted SDK allows attackers to ‘cloud waterhole’ into the victim environments by landing directly into the operation space of victims,” he said.
Due to this incident, Twillio checked the permissions on all of their AWS S3 buckets and found others that were misconfigured, but they stored no production or customer data and haven’t been tampered with.
“During our incident review, we identified a number of systemic improvements that we can make to prevent similar issues from occurring in the future. Specifically, our teams will be engaging in efforts to restrict direct access to S3 buckets and deliver content only via our known CDNs, improve our monitoring of S3 bucket policy changes to quickly detect unsafe access policies, and determine the best way for us to provide integrity checking so customers can validate that they are using known good versions of our SDKs,” the company shared.
They say it’s difficult to gauge the impact on the attack on individual users, since the “links used in these attacks are deprecated and rotated and since the script itself doesn’t execute on all platforms.”
The company urges those who have downloaded a copy of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00) to re-download it, check its integrity and replace it.
“If your application loads v1.20 of the TaskRouter JS SDK dynamically from our CDN, that software has already been updated and you do not need to do anything,” they pointed out.
The Twittersphere went into overdrive on Wednesday as a bunch of prominent, verified Twitter accounts were hijacked and started promoting a COVID-19 cryptocurrency giveaway scam.
The attackers simultaneously compromised Twitter accounts of Bill Gates, Elon Musk, Barack Obama, Jeff Bezos, Joe Biden, Mike Bloomberg, Apple, Uber, as well as those of cryptocurrency exchanges Binance, Coinbase, KuCoin and Gemini, the CoinDesk news site and other top crypto accounts.
Twitter reacted by locking down the affected accounts, removing Tweets posted by the attackers, and limiting functionality for all verified accounts, but not quickly enough to prevent many gullible users falling for the scam and sending money to the attackers.
“The accounts tweeted that they ‘partnered with’ a company called CryptoForHealth. The domain for this website was registered on July 15. The website itself claims that, to help with the hard times endured by COVID-19, they’re partnering with several exchanges to provide a ‘5000 Bitcoin (BTC) giveaway’ which is a ruse for advanced free fraud,” Satnam Narang, Staff Research Engineer at Tenable, explained.
This type of scam is common, but what makes this incident notable is that the scammers have managed to legitimate Twitter accounts to launch it, he notes. Because of this, users were more likely to place their trust in the CryptoForHealth website or the provided Bitcoin address.
Before Twitter locked the hijacked accounts and deleted the scammy tweets, the attackers apparently received nearly $118,000 in Bitcoin.
How have the Twitter accounts been hijacked?
As the compromised accounts began tweeting the scam in a coordinated manner, many speculated on how they attackers pulled off the massive compromise.
It soon became quite obvious that the attackers must have compromised them all from one central place.
Some users noticed that some of the hijacked accounts had been associated with one specific email address:
Yep! Crazy – looks like a full takeover/hijack pic.twitter.com/toug6PYnYr
— harrydenley.eth ◊ (@sniko_) July 15, 2020
Motherboard’s sources said that a Twitter insider (admin) was bribed or coerced to use an internal user management tool to reset the email address and password on the affected accounts. Others speculated that the attackers managed to compromise the corporate account of a Twitter employee.
Earlier today, Twitter confirmed that last speculation.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” the company explained.
“We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely. Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.”
The attack points to a greater poblem
According to the BBC, the same email address that was used to register the CryptoForHealth domain was used to register an Instagram account with the same name. On it, the attackers posted a message that said: “It was a charity attack. Your money will find its way to the right place.”
Many have pointed out that, given how much US politicians depend on Twitter to keep the citizenry informed about their thoughts and actions, the attackers could have used the access to those accounts to do much more damage.
Others have posited that the Bitcoin scam was perhaps just a smokescreen:
Stage 1: Throw up simple bitcoin scam for some nice walkin-around money.
Stage 2: Exfiltrate DMs for later use in blackmail, etc. If you’re already sitting on data like OPM, etc., you have a nice amount of kompromat for leverage/profit.
— Jim Wagner (@jimwagmn) July 15, 2020
US Senator Josh Hawley demanded from Twitter more information about the hack, including and answer to the question of whether the attack threatened the security of US President Donald Trump’s account (which has not be made to tweet out the scammy message).
“The Twitter hack highlights how bad actors are using highly trafficked social media channels to wreak havoc,” noted Richard Bird, Chief Customer Information Officer, Ping Identity.
“The news of this exploit is extremely concerning as it really focuses attention on the inherent weaknesses in Big Tech security, which has been a point of focus across the country as we head into a presidential election and as we navigate the challenges driven by the pandemic. Disinformation and exploitation of supposedly trusted social media channels only amplifies the anxieties and concerns that consumers and citizens are already dealing with in this country and others.”
“Given the accounts’ relatively high profile, including that of a former US President, it’s likely that federal law enforcement and intelligence assets from both the public and private sector will be brought to bear on this very problem,” noted Kevin O’Brien, Co-Founder and CEO, GreatHorn.
“It’s highly likely that this will result in attribution, although I suspect we’ll find that this occurred from a non-US location, increasing the difficulty of apprehending the responsible parties.”
RiskIQ released a report analyzing the company’s internet-wide telemetry and massive internet data collection to reveal the true extent of the modern corporate digital attack surface.
Digital attack surface challenges
“Today, organizations are responsible for defending not only their internal network but also their digital presence across the internet and the cloud,” said Lou Manousos, CEO, RiskIQ.
“Bringing the massive scope of an organization’s attack surface into focus helps frame the challenges of extending cybersecurity outside the corporate firewall, especially as staff forced to work from home in response to COVID-19 push that boundary farther out.”
When brands understand what they look like from the outside-in, they can begin developing an attack surface management program that allows them to discover everything associated with their organization on the internet—both legitimate and malicious—and investigate the threats targeting them.
- The global attack surface is much bigger than you think: 2,959,498 new domains (211,392 per day) and 772,786,941 new hosts (55,199,067) were observed across the internet over two weeks, each representing a possible target for threat actors.
- Sometimes hackers know more about your attack surface than you do: Looking at the attack surfaces of FT-30 companies, each organization had, on average, 324 expired certificates and 46 Web frameworks with known vulnerabilities.
- The hidden attack surface: In Q1 2020, 21,496 phishing domains across 478 unique brands were identified.
- The mobile attack surface: In 2019, 170,796 blacklisted mobile apps were discovered across 120 mobile app stores and the open internet.
Cybercriminals are likely to leverage the global anxiety around the coronavirus outbreak to execute ransomware attacks against businesses, according to RiskIQ.
After extensive analysis of past ransomware attacks during global epidemics and current phishing campaigns leveraging the coronavirus, threat actors will eventually begin using ransomware against victims they infect with the AZORult and Emotet varieties of malware.
Large corporations at risk
These attacks will focus primarily on large corporations, which rely on markets and supply chains originating in China and other coronavirus-affected regions.
Personnel at these organizations have heightened interest in news and developments related to the virus, potentially making them more susceptible to social engineering that tricks them into clicking on malicious links.
Clicking on malicious links is necessary to execute the attacker’s malware, which opens the door for ransomware infection. Ransomware takes over and blocks access to computer systems until victims pay a sum of money.
“In the past, cybercriminals have found success using disasters and global epidemics in ransomware and other malware attacks and developed a pattern we expect will continue with the coronavirus,” said Aaron Inness, Protective Intelligence Analyst at RiskIQ.
“They execute layered attack campaigns, first with phishing and social engineering to infect users with malware, then taking over the entire system with ransomware or other malware.”
Two possible methods of attack
There are two possible methods of attack, both the result of phishing campaigns. The first involves the AZORult malware, which researchers witnessed was the basis for a phishing campaign targeting members of the shipping industry in January of this year.
On at least three different occasions since 2018, however, attackers have used AZORult to deploy ransomware.
The second phishing campaign relies on the Emotet Trojan. Victims in Japan have received emails claiming to contain important information about the coronavirus, but clicking on the link activates Emotet.
In September 2019, criminals partnered Emotet with TrikBot and Ryuk ransomware to take over an organization’s network, a scenario that could play out similarly over the coming weeks and months.
Secondary targets could include health organizations involved in tracking the spread, finding a cure, or providing associated public service functions. Targets of opportunity could consist of any institution or individual seeking general information about the spread and impact of the virus.
“Company executives, mid-level managers, administrators of local governments, and, of course, healthcare professionals all have a vested interest in following the latest developments around the spread of coronavirus,” Inness said. “It only takes one tired or overworked individual to click on what they believe is a legitimate alert or update.”
While neither AZORult nor Emotet have been used to deploy ransomware yet, organizations should begin preparing for ransomware attacks.
The total number of phishing sites detected by the Anti-Phishing Working Group (APWG) worldwide in October through December 2019 was 162,155, following the all-time-high of 266,387 attacks recorded in July through September 2019.
Most menacing, however, were targeting trends exhibited by cybercrime gangs focusing on: users of web-hosted email and social media to multiply the numbers of potential victims; and Business Email Compromise (BEC) schemes of increasing sophistication to exploit key executives’ broader access to corporate resources – and greater payments authority.
Other interesting findings
By most other measures, 2019 was one of the most dangerous years on record for online users. During the course of 2019, the number of phishing incidents in Brazil increased 232 percent. APWG member company Axur recorded these attacks against Brazilian brands and services that are available in Portuguese in Brazil, noting an increase around the Black Friday shopping weekend.
Similarly, APWG member company Agari recorded criminals perpetrating Business Email Compromise (BEC) attacks and using gift cards to cash out during the holiday shopping season.
“The amount of money that an attacker can make by getting gift cards is significantly less than with a wire transfer. During Q4, the average amount of gift cards requested by a BEC actor was more than $1,600. But for wire transfer BEC attacks, the average amount requested in Q4 was over $55,000,” the report points out.
“One of the really notable things we saw during the Q4 was a change in the types of gift cards requested. Google Play was still the most-requested gift card, but decreased from 27 percent to 15 percent of requests,” said Crane Hassold, Agari’s Senior Director of Threat Research.
“We saw increases in requests for gift cards for eBay, Target, Best Buy, and Sephora. The increase could be due to the fact that all of these companies sell physical goods, and the attacks took place during the holiday season. It may indicate that scammers are looking to launder money by using the cards to buy physical goods that they can then sell, rather than putting the money into online cryptocurrency exchanges, which is also a popular laundering option.”
APWG contributor OpSec Security saw attacks against more than 325 different brands (companies) per month in Q4. Stefanie Wood Ellis, Anti-Fraud Product & Marketing Manager at OpSec Security, noted that the most frequent targets of phishing attacks continued to be Webmail, payment, and bank sites, but that “phishing against Social Media targets grew every quarter of the year, doubling over the course of 2019.”
SSL use for more effective phishing
The researchers at APWG member PhishLabs documented the rising use of SSL certificates on phishing websites. Almost three-quarters of all phishing sites now use SSL protection. This was the highest percentage since tracking began in early 2015, and is a clear indicator that users can’t rely on SSL alone to understand whether a site is safe or not.
APWG member RiskIQ analyzed 2,149 confirmed phishing URLs reported to APWG in Q4 2019, and found that the most popular top-level domains used by the phishers are the generic .com, .org, .net and .info TLDs.