2020 is surely not starting out as we expected, as the horrible virus is disrupting and even ending the lives of many. We have mixed emotions writing this up, because there many people doing way more important work, like healthcare workers. Unfortunately, the bad guys have leveraged the crisis like clockwork. We looked at the three most common activities of bad actors.
Our thoughts go out to those who need it most; the sick and their families, those left behind, and everyone trying to keep things running on skeleton crews.
For the people running IT infrastructures, trying to keep remote access available and secure, this blog might contain some useful information. Thank you for doing your valuable work.
We looked at the three most common activities of bad actors. In some of the numbers, we see the same kind of exponential growth as in some of the medical numbers about the amount of infected people.
Opportunists try to make a buck out of other people’s misery. Selling masks, offering “infected blood” on the dark web, and advertising Corona related gear. To try and get some supporting numbers, we’ve counted domain registrations related to the pandemic. There were 21888 domain registrations in 2020, and numbers double up per week. In the last week, 10104 new domain registrations were created.
Source: Cybersprint, 15 March 2020
Even though we weren’t able to definitively classify all of them as malicious, certainly “most of them” are, as we found out through sampling several dozen of them.
Many of these domains support fraud schemes. Some engage in credential theft, others flat out go for infecting visitors with malware. Examples are fake official health care websites, like WHO, or national public health websites. Some of the “Corona worldmap” sites try to drop coin miners malware on the victim's computer.
In parallel efforts, spam campaigns aim to do the very same thing. Posing as public health officials, they try to draw people to malicious websites. For example, researchers found that some of these websites infect computers with the malware 'emotet'.
Nation state activity
Researchers discovered a nation state sponsored campaign using the Corona scare to deliver a previous unknown malware targeting the Mongolian public sector.
There are several other types of threats: an increasing flow of misinformation surrounding the Coronavirus crisis, and charity frauds.
What you can do
The best thing to do is remain vigilant. All the usual rules apply - count to 20 before clicking a link, use 2fa, password managers, update your device and run endpoint protection. Remote workers should heed their IT department’s advice & policies, avoid “shadow it” (for example: use unvetted cloud platforms).
At the same time, any severe vulnerabilities like the recent SMBv3 ones, which can be used both for infecting and to further spread the malware (wormable), need to be addressed with even more diligence than usual. IT departments need to be extra alert on mitigating these.
On a final note, it’s important IT departments and the colleagues they support are patient with each other. These are unprecedented times and we’re in this together.