Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

02:00 PM
Connect Directly
E-Mail vvv

The Coronavirus & Cybersecurity: 3 Areas of Exploitation

Criminal, political, and strategic factors are combining to create a perfect storm of cyber infections that target the global supply chain.

Times of crisis often create opportunities for those looking for vulnerabilities in their opponents. Today's coronavirus crisis is creating economic and political dislocation, disruption of the commercial status quo, and a breakdown in the fabric of global commerce — not to mention uncertainty and fear.

A rapidly growing number of people are already coming to understand this. But what most still do not know is that hackers are also barging into this grim arena, capitalizing on heightened vulnerability with fresh cyberattacks and the creation of malicious websites.

The US Health and Human Services Department recently suffered a cyberattack related to its coronavirus response. The attack ultimately did not succeed, and no data was accessed, but officials believe the culprit or culprits were likely foreign state actors looking to undermine confidence in and effectiveness of US government institutions.

Other attacks are coming. Already we're seeing malicious infections in the name of Wuhan Coronavirus circulating in the digital world. Specifically, Kaspersky researchers have found that 10 unique files (dubbed as coronavirus-spread) are popping up filled with, among other things, malevolent infections such as file-encrypting and cryptomining malware. Others exfiltrate sensitive data.

Additional factors are combining to create a perfect storm for cyber infections. These include lower staffing levels in enterprise security operations centers (SOCs) as corporations try to virtualize their staffing, placing workers remotely outside enterprise firewalls with only vulnerable single-factor authentication as protection against increased social media access and high interest in COVID-19 news.

3 Targets

Political exploitation: There will be attempted compromises on critical infrastructure, such as power plants and petrochemical facilities, as well as active disinformation campaigns to sow confusion and undermine confidence in political leadership. The DDoS attack on Health and Human Services is just the start. There are also reports of a foreign disinformation campaign warning of a pending "nationwide quarantine," quickly debunked by US government officials, designed to create fear in the US population and undermine confidence in government institutions.

According to research from Prevailion, a cyber intelligence firm focused on nation-state cyberattack schemes, its APEX platform and sensor network shows more than 30 state and local governments have already been unwitting victims of nation-state actors looking to spread dissention and disruption. Among the most affected areas are Texas, New York, Ohio, California, Florida, Washington, DC, Alabama, North Carolina, Louisiana, and Connecticut. The trend has been on a rapid upward trajectory since the COVID-19 outbreak.

Criminal exploitation: Cybercriminals are looking for and exploiting weaknesses. According to Check Point Software's Global Threat Index, coronavirus-themed domain registrations are 50% more likely to be from malicious actors. Whether it is well-honed phishing attacks with labels such as "Corona Virus," "Stock Market Volatility,” “Near Zero Interest Rates,” “Remote Working” news, or ransomware attacks targeting hospitals and critical healthcare providers, the criminals know where vulnerabilities exist and how to exploit them.

As Oren Falkowitz, founder and CEO of anti-phishing company Area 1 Security, wrote me recently in an email: "Since mid-February, we have seen a material increase in the number of phishing campaigns tied to the coronavirus. The reason nine in ten cybersecurity incidents begin with phishing is not technical sophistication or lack of awareness by individual users, but by the overwhelming desire of cyber actors to appear authentic. Whether they use trusted brands, or topical events such as the coronavirus as lures, they are always on the offensive."

Strategic exploitation: While many attacks will be designed to affect the crisis near term, the most sophisticated attackers will take advantage of preoccupied organizations that have their guard down. They will plant malware inside a targeted company's infrastructure for later exploitation.

As illustrated in the above graphic, Prevailion is seeing a confirmed influx evidence of compromise in a large Italian vehicle manufacturer with a pattern that matches the reduction of staff and eventual complete shutdown of the facility due to the COVID-19 pandemic. Karim Hijazi, CEO of Prevailion, explained in an email, "The dates of the influx of compromise correlate closely and illustrate the increasing challenge of weaker cybersecurity controls and defenses."

Furthermore, a recent Accenture study shows (page 10, figure 2) that 40% of security breaches are now indirect, as threat actors increasingly target the weak links in the supply chain or business ecosystem. Given what is happening and expected to happen, COVID-19-related security breaches are already alarming officials from the World Health Organization (WHO).

There is no question that the pandemic will continue to amplify cyber threats. Bad actors are experts at exploiting a crisis. But as experience has shown, every crisis and attending threat translates into a learning opportunity. These opportunities are lessons from which we can adapt new strategies and supporting technologies to evolve our digital economy and technology infrastructure to be better prepared the next time we face challenges. In the case of the coronavirus threat, the vulnerabilities of the global supply chain and digital economy are now clear. We are being challenged to rethink the infrastructure by which we manage in this environment. We must be more resilient going forward.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Robert R. Ackerman Jr. is the founder and a Managing Director of Allegis Capital, an early-stage Silicon Valley venture capital firm that invests heavily in cyber security. Allegis cyber security portfolio companies include IronPort Systems (acquired by Cisco), Solera ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue