On 31 December 2019, the World Health Organisation (WHO) were alerted by Chinese officials of several flu-like cases in Wuhan, China. On 7 January 2020, the virus was identified as a coronavirus, and was named COVID-19. On 31 January 2020, the WHO declared a global emergency following the global spread of the disease. On 11 March 2020, the COVID-19 outbreak was declared a pandemic.
In an attempt to lower the number of infections and to slow the spread of the virus, countries have chosen to close borders. Travel bans began on 23 January in Wuhan. On 30 January, Russia shut its border. On 14 March, the US closed its borders to all countries in the Schengen free movement zone, which was extended on 16 March to include the UK and the Republic of Ireland.
Country lockdowns, closure of borders, and closure of offices has resulted in a massive change in business operations globally. Business precautions to avoid mass-spreading of the virus has resulted in a drastic increase in remote working.
On 02 March 2020, Cisco expanded their free WebEx offerings to all countries where the software is available. Previous free Cisco licensing enabled non-paying users to host meetings with 50 participants for up to 40 minutes. Recent offerings allow users to host meetings with up to 100 participants for an unlimited amount of time. Additionally, Cisco are offering free 90-day licenses for businesses. On 16 March 2020, the UK government encouraged all individuals with the ability to work from home to do so and avoid all “unnecessary travel”. The implication of this announcement resulted in a further increase in the number of organisations encouraging remote working, and potentially shutting down offices. Organisations are forced to think globally and encourage the physical wellbeing of not only their employees, but the world.
Organisations globally are following recommendations and demands of remote working and self-isolation by the government and healthcare officials. However, threat-actors are leveraging increased online communications as a means to spread a different kind of virus.
A large number of phishing campaigns leveraging COVID-19 lures have been observed since the beginning of the viral discovery. Typically, threat actors of lower technical capabilities have been observed cashing out on similar high-profile global events through the use of mass phishing. However, in this case several nation state-sponsored actors have also been observed launching similar campaigns. The Russian advanced persistent threat (APT), FancyBear, led the way, using these lures to target Ukraine in mid-February 2020. By late February, North Korea began targeting South Korean officials with the BabyShark malware. China followed suit targeting Mongolian officials with COVID-19 lures purporting to originate from the Vietnamese prime minister.
Historically we have seen WebEx applications, similar to other software, being exploited for malicious reasons. Threat actors have created fake WebEx invitation lures as a means to spread malicious payloads. Although these campaigns have yet to be observed during this period, there is a high likelihood these will occur. It is highly likely that as global panic rises with increasing infection rates, death tolls, and extensive government interventions, these lures will continue, and become more sophisticated. Moreover, the need for business continuity calls not only for an increase in the use of software, but an increased level of trust in employees. Organisations are relying on their users to implement best practices with decreased control.
Software providers, like other organisations are likely to implement work from home procedures. This could impact ways in which vulnerabilities are detected and mitigated. While the pandemic shows no signs of slowing down, and remote working increases, scanning for zero-day vulnerabilities is also likely to increase. If patches are released, there is likely to be a delay in the implementation of these patches from individuals, due to decentralised mitigation processes and less overall control of security procedures.
In summary, the rising COVID-19 pandemic, has not just proven to be a global health risk, it has greatly affected and will continue to affect business continuity and the global economy. The use of emotive phishing lures, taking advantage of a trending topic, is not a new TTP amongst threat actors, of high, moderate, or low technical capability. Global panic amongst individuals and lack of controlled supervision of employees will increase the likelihood of successful social engineering. Additionally, the prolonged period of this pandemic allows attackers to create more sophisticated lures and develop exploits.
While there is no way to fully ensure your organisation isn’t impacted by these cyber-attacks, there are steps you can take to mitigate. It is encouraged that strict working from home procedures are implemented, outlining the correct use of company tools (hardware and software). For example, users should not download any tools without company approval nor should they use any external hard-drives not officially issued.
Training around social-engineering and phishing should be provided to all users. Moreover, it is important that employees understand where to access all legitimate information regarding COVID-19 and only use these sources. If your organisation release updates/notifications regarding the virus, colleagues should understand distinguishing features of these legitimate updates.
The amount of video conferencing is also due to increase; hence, it is encouraged that best practices are pushed with users ensuring meeting participants are limited, controlled and checked. Users who do not abide by your organisation’s rules should be held accountable and provided with additional training.
