Skip content

APT groups exploiting covid 19 through malware campaigns

Throughout 2020, a surge in malware and ransomware campaigns have been detected using coronavirus-themed lures to strike a wide range of sectors across the globe. The global COVID-19 developments alter the threat landscape significantly for worldwide organisations, particularly given the confluence of trying circumstances such as remote working, short-staffing due to furlough and the pressing need to share accurate and timely updates on the pandemic.

The UK National Cyber Security Centre this year published a Joint Advisory report into the exploitation of COVID  detailing its detection of huge numbers of government-targeting malware campaigns during Covid-19;

"An increasing number of malicious cyber actors are exploiting the current COVID-19 pandemic for their own objectives. In the UK, the NCSC has detected more UK government branded scams relating to COVID-19 than any other subject. Although, from the data seen to date, the overall levels of cyber crime have not increased both the NCSC and CISA are seeing a growing use of COVID-19 related themes by malicious cyber actors.”

A hacker recently demonstrated their ability to compromise the Twitter accounts of multiple high-profile individuals, including technology figures like Elon Musk and Bill Gates, both prominent faces in the public consciousness regarding COVID and its future effects on society.

Figure 1 - Bill Gates Twitter Identity Fraud

The hacker in this case attempted to extort directly and clumsily via the Twitter handles, however the damage that could conceivably have been inflicted had 'Bill Gates' tweeted about 'COVID A Thing of the Past! New Vaccine!" while linking to a ransomware campaign would have been far more widespread.

Figure 2 – Cybercriminal Graham Ivan Clarke (Source: WikiTrusted)

In this instance many of the hacks were traced back to a single teenager (https://wikitrusted.com/graham-ivan-clark/) in the USA, operating alone and without significant funding or technical support. This accounts for the relatively unambitious 'Send BitCoin Here' ruses that he chose to circulate, however a sophisticated threat actor would be far less crude and careless.

Figure 3 - Apple Twitter Identity Fraud

Home Working Increases Threat from Malware Campaigns

At the same time, the surge in home working has increased the use of potentially vulnerable services, such as Virtual Private Networks (VPNs), amplifying the threat to individuals and organisations."

Data from multiple security researchers supports this assertion, this graph detailing March and April this year from research group FireEye confirms the upswing in malicious emails bearing a COVID theme, even over such a short period.

Figure 4 - Malicious emails with COVID theme (Source: FireEye)

Rob Lefferts, a cybersecurity executive with Microsoft has reported a direct correlation between the regions of the world most affected by COVID, and the rising numbers of successful virus infections, suggesting that threat actors were taking advantage of the fear and anxiety around COVID to trick more users into yielding credentials and downloading malware.

A key example of this trend is seen in the number of email ruses uniting both COVID and ‘Company Policy’ updates, two powerful call-to-action concerns that are likely to overwhelm the natural skepticism of remote workers to unexpected communications.

Figure 5 - Email ruse utilising COVID language (Source: FireEye)

The dependence upon remote working has increased threat surfaces across the globe and across multiple industry verticals, with staff routinely logging into remote access solutions from their home locations. APT-29, a Russian threat actor actively exploiting organisations during the COVID crisis utilising a variety of techniques, has been noted by security researchers directly attacking remote access infrastructure and collaboration platforms.

As a prurient example, the NCSC have reported that APT-29 has been witnessed directly exploiting severe vulnerabilities in remote access products. The attacks span multiple major vendors, Citrix (CVE-2019-19781), Pulse Secure (CVE-2019-11510), and Fortigate (CVE-2019-13379) products and Zimbra's Collaboration Suite (CVE-2019-9670) software to name several examples. This targeting of remote access and collaboration products is a clear sign that threat actors are adapting their methods and their technical toolkits to exploit the current crisis.

Mitigations and updates exist to proof organisations against each of these exploits, however technical defenders are facing an adaptable foe capable of deploying numerous technical vectors. The U.S. Department of Homeland Security’s (DHS) cyber department highlighted VPN and remote access infrastructure as a prime target during the pandemic.

“As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors,”

They report that keeping remote desktop and VPN solutions up to date with security patches is presenting unique challenges. Instead of a scheduled operation with 'downtime' on a regular cycle, these solutions are used 24/7 in many cases and have become vital to business operations around the clock. For multinational entities, this risk is further magnified due to possessing staff in multiple time zones.

In future blog entries in this series, we will discuss specific impacts against Government, Healthcare and Research sectors and the tactics APT groups are employing to exploit the pandemic in targeting specific industry verticals. In the meantime, find out more about how we help organisations rapidly recover from and defend against malware and ransomware attacks.

Want to find out more about how Nettitude can evaluate the effectiveness of your organisation’s physical security measures? Please don’t hesitate to get in touch with the local team or discover more about how physical security penetration testing can bolster your business’s security.