The Covid-19 pandemic has presented the world with a seismic shift in the way we think about and run our businesses and society.
This change has not passed by cyber threat actors who seek to profit from the current uncertainties. Since the beginning of March there has been a massive increase in the number of domains being registered using the terms “covid”, “corona”, and “epidemic”; the vast majority of which have been focussed on selling vaccines, test kits, supplies, resources or other methods seeking to financially capitalise on people’s fears..
Whilst cyber threat actors’ tactics of seeking to take advantage of current events - like the epidemic - are not new, it is interesting to try and track how quickly various groups have adapted to profit from the situation.
- On 16 February 2020, the World Health Organisation released a statement that criminals had posed as WHO officials online and had attempted to defraud individuals and companies of money and sensitive information.
- On 12 March 2020, security researchers found a new Coronavirus themed ransomware in a campaign using a website impersonating the “WiseCleaner” Windows system utility.
- On 13 March 2020, a mobile phone ransomware variant was also detected, dubbed “CovidLock” and formerly hosted on “coronavirusapp[.]site”. This app claimed to provide metrics on virus infections, but once installed, would lock the device and would demand $100 in bitcoin within 48 hours or would wipe the device.
- According to sites, such as https://bleepingcomputer.com/ there have even been reports of a malware campaign which has targeted home routers to hijack them and re-route DNS configurations to force Windows hosts to malicious content in the form of a fake WHO alert.
The good news
In spite of these examples, it is also interesting to note that a number of ransomware operators also declared a “ceasefire” on targeting healthcare organisations during the pandemic, with groups like “DoppelPaymer” and “Maze”, even releasing press statements on stopping activities until the situation had stabilised, or providing free decrypters should healthcare providers be accidentally caught in their campaigns.
Don’t forget the 4 P’s
At QinetiQ, we often find that when a business has been the victim of a cyberattack, the attackers have often abused one of the following:
- Ports – Have you checked that your administrative portals and login pages are not overly exposed? Can someone gain access to your systems by physically connecting into the network?
- Patching – Critical patches are rolled out daily for devices, when was the last time you checked that every client, server, appliance and network connected device was patched?
- Passwords – It’s no surprise that people often choose easily guessable passwords, do you have a best practice password policy in place, and do you know how many potentially weak passwords your organisation may currently have in use?
- People – Staff like to be helpful, and no one in the world is immune to social engineering. Are your staff aware of what to do should they receive a phishing email?
When you have run through the 4P’s checklist, revisit your standard cybersecurity practices to support safe remote working and ensure that all your employees are familiar with them:
- Only interact with emails from known sends, check links on an embedded URL by hovering the cursor over the link, and use caution when interacting with attachments.
- Be wary of third party sources trying to spread information about Covid-19 – only use official healthcare sources or government sites.
- If you think you are a target of a phishing campaign, report it to the appropriate department for investigation, such as IT, Security, or even the NCSC.
- Keep passwords secure, and investigate the use of an identity management and password storage solution.
- Ensure your remote worker devices have encryption, and a method to revoke their access from your internal systems should they become compromised.
- Ensure that privileged identities, such as administrator accounts are monitored more closely during this period, to ensure they are not being abused.
- Check that your disaster recovery plans are workable and relevant for current working practices, should you need to invoke them.
- Ensure patching continues, not just on end user devices and core servers, but also on network services such as VPN end points, and external facing servers and services.
If you have concerns about any of the issues then you may wish to consider discussing them with QinetiQ’s Security Health Check (SHC) team. We offer a range of services, which include:
- End User Device Testing – a focussed service to help identify vulnerabilities in specific corporate assets, such as business laptops. This service seeks to identify vulnerabilities of the device’s hardware, its encryptions, and what an unauthorised malicious individual could do, should they gain access to it.
- Penetration Testing - SHC’s qualified and Government approved testers will discuss your concerns and work with you to conduct a security test of your IT systems, network or application infrastructure and provide tailored support and advice on how best to secure your environments.
- Red Teaming – SHC’s Red Team exercises deliver a fast paced and intensive cyber adversary simulation over a set period. By adopting the attributes of real world threat actors, we can help you test your organisation’s resilience in a realistic scenario. This service seeks to help you identify vulnerabilities, not just in the technologies you use, but also those brought about by user behaviour and business processes which are often overlooked.
QinetiQ’s SHC Team are one of the world’s longest established Penetration Testing teams. We understand the tradecraft that threat actors employ. We recognise that providing security to business and remote workers in this environment to this scale is unprecedented. We have a number of security testing capabilities and services which can allow us to assess the threat presented to an organisation remotely.