Over the past several weeks, the FortiGuard Labs team has been monitoring a significant spike in coronavirus and COVID-19 related threats. Significant social events are usually a catalyst for new threats to emerge – there are always evil people looking to exploit others during times of crisis – and the current situation is no different. Cybercriminals understand that times of rapid transition can cause serious disruptions for organisations. In the rush to ensure business continuity, things like security protocols can get overlooked, and criminals are looking to take advantage of any inadvertent security gaps.
While this sort of response to the current crisis is not unexpected, what is surprising is the volume of new threats we are seeing in such a short period of time. Trolling the Dark Web looking for new criminal trends, themes, and malware reveals an alarming number of advertisements pitching pandemic-related scams, such as offers to provide Chloroquine and other medicines and medical devices, all preying on fears about the current pandemic.
We have also seen an enormous spike in coronavirus-related scams – money scams, shared riding service scams, money transfer scams, credit card scams, and even scam kits designed for novice cybercriminals known as script kiddies.
Cybercriminals are exploiting the rapid change to our digital world
An unprecedented number of unprotected users and devices are now all online at the same time. In any home, right now, there are likely one or two people connecting remotely to work through the home internet connection. There may also be kids at home engaged in remote learning part of the time and connected to their friends the rest. And the entire family is engaged in multi-player games, talking with their friends in online chat rooms and over social media, as well as streaming music and video.
It’s a perfect storm of opportunity for cybercriminals.
As a result, the FortiGuard Labs team is seeing an average of about 600 new phishing campaigns per day. Their content is designed to either prey on the fears and concerns of individuals, take advantage of new circumstances, or pretend to provide essential information. These phishing attacks range from scams related to helping individuals deposit their stimulus checks, to providing access to hard to find medical supplies, to providing helpdesk support for new teleworkers.
This first tier of threats is designed to take advantage of people who are either concerned or sitting at home with nothing to do. In addition to online scams targeted at adults, some phishing attacks target kids’ computers and gaming systems with offers of online games and free movies, or even access to credit cards to buy online games or shop online stores. Multiple sites are illegally streaming Hollywood movies still in theatres, but also secretly distributing malware to anyone who logs on. Free game, free movie, and the attacker is on your network.
Phishing scams are just the start
While these attacks start with a phishing attack, their end goal is to steal personal information or even target businesses through their new teleworkers. This is why the majority of these phishing attacks contain malicious payloads – including ransomware, viruses, remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, and even RDP (remote desktop protocol) exploits.
Making matters worse, not every organisation was able to procure enough laptops for every employee who now needs to work remotely. As a result, many teleworkers are using their personal devices to connect into the corporate network. And those devices are not only being use for things like social media, shopping, and streaming entertainment, they are also generally far less protected by desktop security and endpoint protection solutions, which means they are far more vulnerable to the malware being pushed by these phishing attacks.
And these devices don’t even need to be attacked directly. Because they are all connected to the home network, attackers have multiple avenues of attack that can be exploited – including other computers, tablets, gaming and entertainment systems, and even online IoT devices such as digital cameras, smart appliances, and smart home tools such as doorbells, alarm systems climate control devices and smart lighting – with the ultimate goal of finding a way back into a corporate or school network and its valuable digital resources.
If the device of a remote worker can be compromised, it can become a conduit back into the organisation’s core network, enabling the spread of malware to other remote workers. The resulting business disruption can be just as effective as ransomware targeting internal network systems at taking a business offline. Since helpdesks are now remote, devices infected with ransomware or a virus can incapacitate workers for days while devices are mailed in for reimaging.
A sudden spike in viruses
To that point, we have seen a significant rise in viruses, many of which are included in these malicious phishing attachments. During the first quarter of 2020, for example, we have documented a 17% increase in viruses for January, a 52% increase for February, and an alarming 131% increase for March compared to the same months in 2019.
Interestingly, we have also seen a reduction in more traditional attack methods. During the first quarter, for example, we have seen a reduction of botnets per month of -66%, -65%, and -44% compared to the same time period in 2019. Likewise, IPS-based triggers have also dropped by -71% in January and -58% in March compared to 2019, with a slight uptick in February of 29%. This seems to indicate that cybercriminals are adjusting their attack strategies in order to take advantage of the current crisis.
Solutions and countermeasures
It is essential that organisations take measures to protect their remote workers and help them secure their devices and home networks. Consider adopting the same strategy for cyber viruses that we are adopting in the real world. Cyber social distancing is all about recognising risks and keeping our distance. Here are a few critical steps to consider:
Educate your remote workers – and their families – about things like phishing and malicious websites and how to stop them. Fortinet has made a number of user training resources free of charge to help bring teleworkers up to speed on essential security topics, including the first two levels of our NSE training program.
Next, put security countermeasures in place. Make sure that remote workers have a free FortiClient VPN solution in place. For more advanced security, consider adding FortiEDR to detect and defuse live threats. Instruct users to enable the security included with most home routers and wireless access points. They should also contact their cable or internet service provider to see what security services they provide and have them enabled.
Ensure that your corporate headend is also protected. In addition to FortiToken and FortiAuthenticator to enable multifactor authentication and single sign-on, you can leverage your existing FortiGate appliances for scalable VPN termination and traffic inspection. Also consider a FortiNAC solution to ensure that authenticated devices only have access to the network resources they require, and to automatically respond to devices that misbehave. FortiNAC can also ensure that only devices that have been patched and updated can access the network, helping to address the chronic problems of poor security hygiene.
And finally, perform a review of your other security tools. Given that so many attacks are phishing-based, it is critical that your secure email gateway is capable of detecting and filtering out phishing attacks and spam, and eliminating malicious attachments. FortiMail provides robust data protection capabilities to avoid data loss, and in independent tests performed by NSS Labs was found to provide 100 percent detection of phishing attacks with zero false positives.
Organisations are in a hurry to move to a remote worker model to maintain business continuity are likely to make mistakes that criminals will exploit. Knowing the risks is a critical first step. The next step, and often the hardest, is doing something about it. With operational and business continuity so critical, this is not a challenge that can be safely put off. Cybercriminals are all too willing and able to take advantage of this crisis for their personal gain.