Profiting from panic

Contact tracing app

As the world struggles to contain the novel coronavirus outbreak, another insidious threat is on the rise. Cybercriminals are using the crisis to up the ante and cash in on COVID-19 in varying ways.

Several leading media outlets have outlined how threat actors are adding to the “infodemic” by propagating and disseminating misinformation, selling counterfeit personal protective equipment, and running cleverly designed social engineering attacks. The latter are attacks that play upon people’s psychology and potential susceptibility to manipulate and trick users into revealing sensitive data.

We should have expected this, natural disasters and major global events always trigger a rise in cybercrime as criminals exploit fear and confusion, it’s the perfect breeding ground for cybercriminals’ ever more sophisticated arsenal.

So which industries are most at-risk in the time of COVID-19? Perhaps unsurprisingly, it’s those that are most crucial to our response and recovery.

Financial institutions and services

During March of this year, the US stock market fell faster than it did during the Wall Street Crash, prompting justified fears over a worldwide global recession. Although it has since stabilised somewhat, we are not out of the woods and it is increasingly clear that investor and consumer anxiety will continue to put a damper on economic recovery.

Harvard economist and author Kenneth S. Rogoff noted “This is already shaping up as the deepest dive on record for the global economy for over 100 years,” he continued, “Everything depends on how long it lasts, but if this goes on for a long time, it’s certainly going to be the mother of all financial crises.”

To add insult to injury, as financial institutions and the wider industry scramble to cope with the new normal, highly targeted spearphishing, ransomware and malware campaigns profit from the panic. In a notable instance, security services provider Secureworks Inc. spotted the TrickBot campaign spreading alongside the coronavirus in Italy in early March.

Researcher Mike McLellan told The Register that 10 days after the Italian government began a national lockdown, “we saw banks being added to webinject configurations for TrickBot. That looks to us like TrickBot operators decided Italy might be a good country to go after, especially Italian banks… potentially more people are going to be at home; online banking is going to be more important in that scenario.”

Healthcare and medical services

Already under strain and coping with a mass influx of patients amongst growing concerns over a lack of ventilators and PPE, healthcare as an industry is particularly susceptible to both homegrown cyber threats and foreign black-swan attacks.

Resources and staff are stretched to capacity and a disruptive cyber event will sharply amplify the crisis. Mid-March saw the US Department of Health and Human Services suffer a Distributed Denial of Service (DDoS) attack. Its servers were hit with stupendous numbers of connection requests over a period of several hours.

Officials claim the attack did not significantly affect the department’s ability to function. But the attack illustrates the potential for bad actors to capitalise on the crisis — if the service had gone down under the weight of the DDoS, we would see first-hand just how dangerous this kind of meddling is.

According to threat intelligence firm Digital Shadows, the highly capable TA505 group (previously known for targeting financial institutions and retailers) has turned its attention to medical manufacturers in a spearphishing campaign tweaked to include COVID-19 themed lures. Meanwhile, a spate of counterfeit facemasks and other PPE has hit the market.

In one bit of good news, other threat groups including DoppelPaymer and Maze have said they will stop attacking healthcare organisations during the pandemic; one has to wonder if this means their unwanted attention will be turned elsewhere instead.

Financial institutions and healthcare are not the only industries of concern at this time; critical infrastructure, government, media and more are also at high risk. But they are two telling examples of how vulnerable key response players are at this time. It is imperative that we mitigate the risk of cyberattacks during the crisis.

Taking back control

It’s pleasing to note that general awareness around phishing emails and scams is growing in the wider internet using community. Yet a valid threat remains as emails and scams are contextually tweaked to contain virus-related content and trigger a response. Now, more than ever, individuals need to follow the same security advice as before: be vigilant about cold-call emails, exercise caution when using banking apps or websites, use VPN software to encrypt data, follow basic password best practices.

At the institutional level, organisations need to address the implications of a decentralised workforce connecting to home networks by auditing their current security systems. Any holes or potential access points need to be patched or removed entirely. Educational programs focusing on security measures will go some way toward mitigating the chance of human error.

Challenging times for us all indeed, and times which highlight the need for our financial services industry, healthcare services, and other key response and recovery institutions to be kept in good shape. Resilience to cybercrime aids our collective ability to bounce back and face the crisis head-on.