There’s a lot you can learn from a magician.
After deftly losing your card in the deck so that it’s impenetrably gone, somehow—miraculously?—it emerges on top. Your mouth agape, the applause flows unsolicited.
Such is the art of misdirection.
In the world of magic, misdirection is the skill of manipulating attention away from one event or object to focus on something else, so that you miss the mechanisms by which the trick actually works.
COVID-19, the Perfect Opportunity for Misdirection
In the world of cyber security, misdirection is an indispensable asset, enabling attackers to get away with things that would otherwise be detected. Threat actors have long used the art of misdirection to pull off complex cyber attacks and it’s used by some of the most notorious APT groups, criminally-motivated attackers and hacktivists alike. Attackers might use misdirection to throw researchers off their trail or conceal what’s really happening.
And while you were distracted by current events, attackers took—and continue to take—advantage of the situation to pull off some very large-scale attacks unnoticed.
The COVID-19 pandemic has captured our attention in ways nothing before—and quite possibly nothing after—has or will. Every news report, every conversation, and certainly every social media post is fixated on the present reality and its impact on our daily lives. And this world-wide obsession with all things Corona-and-lockdown related has presented attackers with the optimal circumstances to launch attacks totally unnoticed. Moreover, with a significant portion of the population working from home, using less-than-ideal security practices, people are less equipped to protect themselves than when working in-office, using corporate grade-security solutions. Corona, it seems, is a magical playground of misdirection opportunity for bad actors.
COVID-19 Ransomware Goes Covert
For starters, let’s look at the threat of ransomware; Ransomware has always been a massive headache for any organization. But now, attackers are taking advantage of the uncertainty created by COVID-19 to lure in even more victims. According to researchers at VMware, ransomware has seen a 148% increase since the beginning of the pandemic, with upticks in incidents directly correlating to certain noteworthy days along the timeline of the pandemic.
In mid-April, a variant of the HiddenTear ransomware was found to be using COVID-themed Word documents to encrypt files on host computers. Other ransomware variants use infected documents masquerading as information regarding free financial services, vaccines and masks, or video conferencing platforms. NetWalker ransomware has been spotted using a file called CORONAVIRUS_COVID-19.vbs to distribute its malicious payload.
Of particular note to us here at Safe-T, in early April, as healthcare workers scrambled to save lives, hospitals around the US began to get hit with REvil (Sodinokibi) ransomware. REvil targets hospital networks looking for vulnerable VPNs and when it finds them, according to researchers at Microsoft, “After successful exploitation, attackers steal credentials, elevate their privileges and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads.” So this is yet another reminder that your VPNs might not be offering quite as much protection as you think they are.
Phishing for Fear
Next let’s explore the rampant COVID-19-themed phishing scams; In April, Google announced that they were blocking, on average, 126 million COVID-19-themed phishing emails per week and another 240 million COVID-19-themed spam emails per day. Attackers are well aware that in the drive to keep yourself and your loved ones safe, good judgement might just go out the window. With emails that appear to be sent from the World Health Organization (WHO) or supposedly contain an urgent message from your bank regarding the situation, attackers pull at heartstrings and compel distracted targets to open attachments and click links.
In one particularly upsetting attack, nation-state backed attackers were found to be sending US-based health care workers phishing emails posing as fast food chains. The emails offered heroic doctors and nurses free meals and directed them to a website posing as a food delivery service, with the goal of capturing login information.
Phishing that goes unnoticed is bad. But what’s even worse is when its target is critical infrastructure. In April, researchers from Cisco Talos disclosed the discovery of a previously unknown remote access trojan or RAT, called PoetRAT, targeting the government and utilities in Azerbaijan. Once again, the attackers used phishing techniques to distribute COVID-19 themed emails to SCADA system operators with malicious Word documents attached.
These emails appeared to be sent by the Azerbaijanian and Indian governments and if opened, would execute a script that according to ZDNet.com “executes a range of other commands, such as directory listing, exfiltrating PC information, taking screenshots, copying, moving, and archiving content, uploading stolen files, and killing, clearing, or terminating processes. It is also possible for PoetRAT to seize control of webcams and steal passwords.”
Making Money with Corona-themed Malware
Malware such as banking trojans are also getting in on the act; Ursnif, a classic financial threat was spotted as early as January 2020, distributing COVID19 themed emails. Emotet, one of the most active and powerful banking trojans in circulation today, has also been found to be sending around emails supposedly coming from the WHO containing important Coronavirus information. Hancitor malware poses as COVID-themed insurance claims or proposals and Azorult malware, which uses a fake coronavirus infection map, steals payment and credential information.
There’s No Magic Cure, Just Pay More Attention
The list of threats cashing in on the current situation goes on and on and it’s important to note that the attacks mentioned here are just a portion of the COVID-themed attacks taking place. As much as we wish we could just wave a magic wand and go back to normal, this situation is still unfolding so attackers will keep improvising on their methods and launching new attacks. But one thing you can be sure of is they’ll continue to use our distracted state to their advantage. The more we keep our eyes open, the more secure we’ll be in the long run.