The COVID-19 pandemic has had a dramatic effect on virtually every aspect of our lives. The way we live and work has been transformed beyond recognition. To put it simply - Life on earth has gone online. This change wasn’t gradual, it happened virtually overnight. Businesses around the world have had to adapt at the speed of light, making significant infrastructure changes. While companies rush to have their employees work from home, IT and security teams have been forced to adapt to the new normal and race to secure the evolving attack surface. In the meantime, threat actors have been taking advantage of this situation, evolving their skills and methodologies to exploit the vulnerabilities of this new hybrid world.
01 Proliferation of COVID-themed attacks
COVID-19 has prompted a great increase in the proliferation of malware attacks that leverage social engineering techniques and exploit our all-consuming preoccupation with the virus. Thousands of corona-related domain-names were registered, many of which have been used for scamming unsuspecting victims. Some domains were used to launch emails that claimed to sell (ultimately fake) COVID-19 vaccinations or medication, others for various phishing campaigns or for distributing malicious mobile applications. Some scammers have also been offering merchandise with ‘special coronavirus discounts’. What’s more, hackers are targeting countries that have been suffering very high rates of infection, as they are perceived to be most vulnerable to attack.
02 Zoom related phishing attacks
This particular cyberthreat is driven by the explosive growth in the use of the video conferencing app, Zoom. During lockdowns, the use of Zoom skyrocketed from 10 million daily meeting participants in December 2019, to over 300 million in April 2020. Cybercriminals have been leveraging the popularity of this app to launch phishing attacks.
According to Check Point Research, Zoom-related domain registrations, and fake Zoom installation programs in particular, have been behind major increase in cyberattacks. We worked with Zoom earlier this year to fix a potential vulnerability that could have allowed hackers to join a meeting uninvited. Recently, our team has also helped to mitigate the risk associated with a potential security issue in Zoom’s customisable ‘Vanity URLs’ feature’ — one that could have allowed hackers to send fake Zoom Business meeting invites that appear to be associated with a particular Zoom user, with the aim of inserting malware and stealing data or credentials from that user.
03 Double Extortion Ransomware
The risk of ransomware attack grows as employees are increasingly using their personal devices for work, and accessing the corporate network over insecure connections. As if that’s not bad enough, cybercriminals have also started using a new tactic in the ransomware playbook called double extortion.
This new tactic first appeared in early 2020. What this involves is that prior to encrypting the victim’s databases, attackers extract large quantities of sensitive commercial information and threaten to publish it unless a ransom is paid.
This puts targeted organisations in an impossible situation. If they don’t give in to the attackers’ demands, the attackers will publish stolen data, and the organisation will have to report the breach to the relevant national or international data privacy watchdog. This in turn could result in large fines for the organisation. Either way, the organisation is likely to have to pay to get out of the situation.
04 The Weakest Links: Mobile Devices
Mobile security is a top concern for most organisations, especially these days, and for good reason. While working remotely, employees are increasingly using their mobile devices to access corporate data. This means that your organisation is now exposed to data breaches more than ever.
Recently, Check Point Research discovered over 400 vulnerabilities in one of Qualcomm Technologies’ DSP — A chip that is embedded into over 40% of the mobile phone market. That includes high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more. Attackers can exploit these vulnerabilities to turn employees’ mobile devices into a perfect spying tool, render the mobile phone unresponsive, or insert hidden and unremovable malware.
In today’s new reality, any type of attack that can get to the PC or network, can and will probably also get to the mobile device. If in the past, only advanced attackers had access to sophisticated tools such as mobile ransomware. Today, it is not that uncommon, as these tools are offered on the Dark Web. Moreover, threat actors have been seeking new infection vectors in the mobile world, changing and improving their techniques to avoid detection in places such as official app stores.
05 Securing Company Infrastructure
Since the outbreak of the COVID-19 pandemic, majority of the workforce has been working from home instead of in the office, and connecting remotely to the corporate network. This transition means that IT solutions for remotely connecting to the corporate network are now used more than ever. An example of such service is the Open Source Apache Guacamole remote desktop gateway — a critical IT solution that enables employees with a safe remote connection to the corporate network. It is very popular and there have been over 10 million docker downloads worldwide.
With that said, any security vulnerability in these solutions will have great impact, as companies rely on them to keep their businesses functioning. Just last month, we found that Guacamole was susceptible to several critical Reverse RDP vulnerabilities. These vulnerabilities could have enabled any threat actors to launch an attack through the Guacamole gateway, once they successfully compromise a computer inside the company. This can be achieved once an unsuspecting employee connects to their infected machine. Once in control of the gateway, the attacker can eavesdrop on all incoming sessions, record all user credentials, and even start new sessions to control the rest of the computers within the organisation. When most of the organisation is working remotely, this foothold can be translated into full control over the entire network.
The security mandate of the new reality
While the global transition to remote work is a necessity now, and will continue to be so as we move into the post-pandemic era, we must not ignore the security mandate of this new reality. The trends of the coronavirus have dramatically changed the way we work, but we must keep up and adjust how we secure our work. Cybersecurity strategies must be revamped to meet our new reality, or we could risk falling back, and become the next cyber victim.
Contributed By Evan Dumas, Regional Director, Southeast Asia, Check Point Software Technologies