Coronavirus-related cyberattacks are like a kicked 'hornet's nest'

After spending the better part of three months in lockdown, the U.S. is reopening. Workers returning to offices leave work-from-home security woes, well, at home.

Across the threat landscape, any crisis is fair play for bad actors. The global scale of the coronavirus outbreak is a unique opportunity for attackers because anyone can be a target and everyone is vulnerable.

"That's not something that happens very often … Everything from hacktivism all the way through criminal espionage are all exploiting the same subject," Jen Miller-Osborn, deputy director of Threat Intelligence for Palo Alto Networks' Unit 42, told CIO Dive.

In January, McAfee began detecting pieces of mobile malware, disguised as apps for body temperature checks or other functions. The cyberthreats began to broaden, "it's like we've kicked over a hornet's nest," Raj Samani, chief scientist at McAfee, told CIO Dive.

Explicit COVID-19-related cyberattacks surface daily in an unmatched volume of threats. Other cyberattacks exploit the circumstances related to the outbreak, namely people logging on from unsecure devices.

"The reality is, most of the attacks, most security software will stop," said Samani. However, a lot of attacks are "hiding in plain sight" in fragmented threats indirectly related to coronavirus.

Cyberattacks happen at home

Businesses with a remote workforce need more awareness for traditionally consumer-targeted threats. People are tempted to click on corrupt links about the pandemics "because it's a current source of anxiety and people are desperate for information about it," said Miller-Osborn.

Employees might be fooled by attacks on their internet service providers, streaming services, or websites disguised as aids for small business loans. Those attacks are a direct threat to enterprise security.

Work-from-home "conditions shift the information security focus from enterprise infrastructure to cloud and virtualized infrastructure of these new, potentially insecure conditions," Howard Marshall, managing director and global cyber threat intelligence lead at Accenture, told CIO Dive.

What's unique now is companies face traditional hacker trickery aimed at a larger remote staff.

McAfee found Microsoft Remote Desktop Protocol (RDP) ports exposed to the internet "makes it particularly interesting for attackers." Access to an RDP box can grants an attacker scope of an entire network, leaving room for any type of cyber foul play.

Between January and March, internet-exposed RDP ports have increased from 3 million to 4.5 million, with the most belonging to the U.S. The most vulnerable systems are running Windows Servers.

Open RDP ports allow hackers to abuse systems in a number of ways, including stealing credentials. "RDP is a very, very common tactic for some of these ransomware developers to go after organizations," said Samani. The most common password for RDP credentials, as it turns out, is no password.

Back to basics

Coronavirus cyberattacks put organizations on high alert, it still comes back to the basics. The number of attacks have increased, but "we haven't seen the technical level kind of scale," with it said Miller-Osborn.

There's been a "huge uptick" in bad actors breaching organizations' Office 365 web access because they're left open and everyone is home, Ronald Plesco, principal of Cyber Response Services at KPMG, told CIO Dive. The intrusion could allow hackers to read executives' procurement emails, "figuring out how they do wire transfer in Bill Pay [and] payroll." Multifactor authentication could stop that.

Distribution of malicious software or viruses via web domains is spiking. Accenture found 16,000 coronavirus-related domains made since January. The threat of the domains is minimal, though they are "suspected to support" criminal activity, said Marshall.

Key words associated with the coronavirus are mixed in with phony sites and phishing campaigns. Campaigns with luring mechanisms are delivering malware, including keyloggers, banking Trojans, and remote administration tools, said Marshall.

Since March, McAfee found an increase in malware families Fareit, Trickbot, Emotet, Azorult, and COVID-19 related ransomware. NanoCore RAT, NetWalker and Hancitor increased their presence primarily in April.

Other major vulnerabilities that weren't commonly exploited in the office are now targets for everyone at home. "From an enterprise standpoint, it's with the hardware and software that permits the VPN to get it using the home user," said Plesco.

By removing the office setting, VPN vulnerabilities are a minefield to navigate. The major players in VPN hardware or software — Citrix, Pulse Secure, Fortinet, Palo Alto Networks — "it's not like there's a problem with them, it's with the companies that haven't done the patches," according to Plesco.

Manufacturing, in particular, is "always behind from an enterprise security standpoint," said Plesco. For optimal personnel, societal or human impact, bad actors are targeting the supply chain of food or medical distributors or manufacturers.

It's not necessarily manufacturers' lag in security that makes them a target — it's their relationship with consumers. Threat actors know certain manufacturers will pay the ransom because they don't want a cyberattack publicly disclosed.

"There's nothing that I would say, 'we've not seen that before,'" said Samani. It's "just the sheer volume of just everything under the sun."