Category Archives: COVID-19

Contact Tracing: De-mystifying How an App Designed to Track People Can Ensure User Privacy and Security

Many governments in many countries around the world recognise that contact tracing plays a very important part to reduce the spread of the deadly disease, COVID-19. In this article, we take a look at the conventional method of contact tracking and comparing it against how technology helps contact tracing and its pro’s and con’s. Traditional […]… Read More

The post Contact Tracing: De-mystifying How an App Designed to Track People Can Ensure User Privacy and Security appeared first on The State of Security.

Cybersecurity Must be an Integral Part of any Pandemic Response Plan from Now On

Sometimes the best way to inform ourselves about how cybersecurity is dealing with a new threat, technology, or situation is to just ask. COVID-19, and the resulting lockdowns, quarantines and economic changes certainly counts as a ‘situation’ for cybersecurity. While it would be nice if cybersecurity could temporarily take a backseat while people and organizations […]… Read More

The post Cybersecurity Must be an Integral Part of any Pandemic Response Plan from Now On appeared first on The State of Security.

Facebook to verify identities on accounts that churn out viral posts

Hopefully it's a COVID-19 version of what it did post-2016 elections, when it required verification of those buying political or issue ads.

A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

Security experts from D3Lab have uncovered a new COVID-19-themed phishing campaign that is targeting the users of the Italian National Institute for Social Security (INPS). Like a previous campaign observed in early April, threat actors set up a fake INPS site used (“inps-it[.]top”) to trick victims into downloading a malicious app.

“A new Phishing campaign against INPS users , similar to the previous one of April 6, 2020 , has been detected in the past few hours by our research and analysis center for Phishing campaigns.” reads the post published D3Lab.

“The fraudulent activity is carried out through a web domain created Ad Hoc with similarities, in the name, to the official one of the national social security institution with the intent to download malware to users interested in receiving the Covid-19 allowance allocated from the Italian state.”

COVID-19 campaign INPS
COVID-19 campaign INPS

D3Lab reported its findings to the Italian CERT-AGID that published a security advisory.

Cybercriminals are attempting to take advantage of the Covid-19 indemnity that the Italian government will give to some Italian citizens with specific requirements.

The citizens have to request the Covid-19 indemnity to the goverment through the INPS portal, for this reason, threat actors set up a fake INPS site asking people to download a phantom “application for the new COVID-19 indemnity” which actually returns a malicious APK for Android devices..

The malicious APT, named “acrobatreader.apk,” is a Trojan-Banker malware that is able to monitor the actions performed by the user.

The malware asks users to enable the accessibility service in order to take advantage of the legitimate functions of this service and achieve wider access to the system APIs to communicate with other apps on the device.

“As soon as the presence of connectivity is detected, an HTTP POST request is sent to C2 through the following url ” http: // greedyduck [.] Top / gate [.] Php ” passing two parameters:

  • ” Action “: with botcheck or injcheck values ;
  • ” Data “: information collected and passed in encrypted form (RC4).”

The CERT-AGID published the Indicators of Compromise (IoCs) here.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post A new COVID-19-themed campaign targets Italian users appeared first on Security Affairs.

Himera and AbSent-Loader Leverage Covid19 Themes

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

Introduction

During our Cyber Defense monitoring activities we intercepted waves of incoming emails directed to many companies under our protective umbrella. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing COVID19 pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader.  

Figure1: Email vector example

Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can assume “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.

Technical Analysis  

The sample used in this campaign first uses word document which refers to an executable, then it drops another executable and does a renaming operations to evade controls. The following picture reports the infection chain used in this campaign:

Figure 2: Infection Chain

The malicious email wave contained a .doc attachment. Following, the static information of this file:

NameCovid-19-PESANTATION.doc
Hash97FA1F66BD2B2F8A34AAFE5A374996F8
ThreatHimera Loader dropper
Size95,4 KB (97.745 byte)
FiletypeMicrosoft Word document 
Ssdeep1536:7fVmPSiRO8cOV8xCcoHrZvIdTZ2DSXMqcI3iL5PEs8VlbeH0btGDYLlNq2l+SEg:7fVz8zyUHlvId7H3iL5MVlbeHGkQvqTU

Table 1: Static information about the Malicious document

The interesting feature of this document is the fact that it does not leverage any type of macro or exploit, but it contains the entire executable within it as an embedded object. So, the user is led to double-click on the malicious icon, representing the executable. 

Thus, once clicked, it allows this malicious document to execute a malicious file named HimeraLoader.exe.

NameHimeraLoader.exe
Hash4620C79333CE19E62EFD2ADC5173B99A
ThreatSecond stage dropper
Size143 KB (146.944 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep3072:jqW9iAayyenylzx0/2gJUSUZsnOA/TtYLeEoWj5PxJhQQeSH1pNGmHohurCMSiBf:jqW9iAayyenylzx0/2gJUSUZsnJ/TKLd

Table 2: Static information about the HimeraLoader executable

Inspecting the HimeraLoader.exe trace we noticed a really characteristic mutex created during the initial loading of the malicious code: the “HimeraLoader v1.6” mutex, or Mutant.

Figure 3: Himera Loader Mutex

Also, the sample performs some classic anti-analysis tricks using Windows API such as “IsDebbugerPresent”, “IsProcessorFeaturePresent” and “GetStartupInfoW”. The execution will take different paths in the program’s flow if the debugger is present. The function GetStartupInfoW retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created. This function takes as parameter a pointer to a STARTUPINFO structure that receives the startup information and does not return a value.

Figure 4: Relevant strings of the Loader

When the Himera Loader goes through its execution and passes all anti-analysis tricks, it gathers another binary from http:]//195.]2.]92.]151/ad/da/drop/smss.]exe . The remote server is operated by Hosting Technologies LLC, a company running the Russian hosting service brand “VDSina.ru”. 

The AbSent-Loader 

The file downloaded from the dropurl has the following static information:

Namesmss[1].exe
Hash4D2207059FE853399C8F2140E63C58E3
ThreatDropper/Injector
Size0,99 MB (1.047.040 byte)
FiletypeExecutable
File InfoMicrosoft Visual C++ 8
Ssdeep24576:+9d+UObalbls+rcaN+cFsyQIDHx2JrjDwc9bmfRiHwl:+9d+UObaVzrcaN+cKypDHx2Jr/wYbmJd

Table 3: Static information about the AbsentLoader Payload

When “smms.exe” is executed, it copies itself in a new file winsvchost.exe in the %TEMP% path and creates a scheduled task to maintain persistence after reboot.

Figure 5: Evidence of the Scheduled Task

Moreover, the malware adopts some interesting anti-debug techniques, like the GetTickcount one. The technique is quite similar to that one described in one of our previous report. there is immediately the subtraction of the two values and it is placed in EAX register. After the “call eax” instruction, an immediate subtraction of the first GetTickCount  API call results and this second one is executed. 

Figure 6: GetTickCount anti-debug Technique

Then, the malware establishes TCP connection every 15 minutes. These connections are directed to the same remote host operated by Hosting Technologies LLC  (195.2.92.151) but this time it sends HTTP POST requests to the “/ad/da/gate.php” resource.

Figure 7: Evidence of some relevant strings inside the payload

This payload is a new version of AbSent-Loader, a piece of malware that, despite its name, behaves also like a bot, lacking most modern advanced features but sophisticated enough to maintain persistence on the victim host and to escalate the attack with follow up malware implants. 

Conclusion

The attack we intercepted and described here is a clear example of the new threats that are approaching cyberspace during these months: new criminal threat actors with the sole objective to economically exploit the emotional reactions of the people willing to keep the economic fabric alive and running to support the Covid19 response.

In this particular period, cyberspace is getting more and more risky for companies and people, the cyber criminality raised during the lock-downs and these malicious actors are using all the possible mediums to make more money at the expense of companies and organizations. For this reason, we strongly advise companies to adapt and enhance their cyber security perimeter to resist the new volumes and types of cyber attacks we are experiencing these days.

Indicators of Compromise (IoCs) and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – COVID19, hacking)

The post Himera and AbSent-Loader Leverage Covid19 Themes appeared first on Security Affairs.

Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

A new ransomware dubbed FuckUnicorn has been targeting computers in Italy by tricking victims into downloading a fake contact tracing app, named Immuni, that promises to provide real-time updates for the COVID-19 outbreak.

The COVID-19-themed campaign use messages that pretend to be sent by the Italian Pharmacist Federation (FOFI).

The Italian Computer Emergency Response Team (CERT) from the AgID Agency released an advisory about this threat.

Attackers attempt to take advantage of the interest on the contact tracing app Immuni that was chosen by the Italian government to trace the evolution of the pandemic in the country.

The new ransomware was first spotted by the malware researcher JamesWT_MHT that shared samples with the malware community.

Email messages used as lure are written in Italian and informs citizens of the release of a beta release of the Immuni app for PC.

The campaign targeted pharmacies, universities, doctors, and other entities involved in the fight against COVID-19 outbreak.

To trick victims into downloading the malicious app, threat actors set up a malicious domain that clones the content of the legitimate site of the Federazione Ordini Farmacisti Italiani (FOFI.it).

The attackers registered the “fofl.it,“ domain to trick victims.

The content of the email includes download links and contact information that combines email addresses from the attacker and FOFI.

Upon executing the malware it displays a fake Coronavirus Map from the Center for Systems Science and Engineering at Johns Hopkins University.

In the background the FuckUnicorn starts encrypting data on the system, it encrypts the files in certain paths (/Desktop, /Links, /Contacts, /Documents, /Downloads, /Pictures, /Music, /OneDrive, /Saved Games, /Favorites, /Searches, and /Videos) with these extensions:

.Txt, .jar, .exe, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv,. py, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .dll, .c, .cs, .mp3, .mp4, .f3d, .dwg, .cpp, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .iso, .7-zip, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .uue, .xz, .z, .001, .mpeg, .mp3, .mpg, .core, .crproj, .pdb, .ico, .pas , .db, .torrent "

The malicious code adds the “.fuckunicornhtrhrtjrjy” extensions to names of encrypted files.

The FuckUnicorn drops a ransom note written in Italian that asks victims to pay EUR 300, worth of Bitcoin, in three days or the data would be lost.

The email address in the ransom note is invalid making it impossible to send the attacker the payment proof.

At the time, there are no transactions recorded for the wallet included in the ransom note.

The good news for the victims is that CERT-AgID discovered that the password for encrypting the files is sent in clear text to the attacker, this means that it can be retrieved from the network traffic.

Pierluigi Paganini

(SecurityAffairs – FuckUnicorn, hacking)

The post Fuckunicorn ransomware targets Italy in COVID-19 lures appeared first on Security Affairs.

[F]Unicorn Ransomware Masquerading as COVID-19 Contact Tracing App

A new ransomware family called “[F]Unicorn” masqueraded as a COVID-19 contact tracing app in order to target Italian users. On May 25, the the Computer Emergency Response Team (CERT) from the Agency for Digital Italy (AgID) revealed in an advisory that it had received a sample of [F]Unicorn from security researcher JamesWT_MHT. The sample analyzed […]… Read More

The post [F]Unicorn Ransomware Masquerading as COVID-19 Contact Tracing App appeared first on The State of Security.

Durham College to participate in siberXchange Live summit

Durham College, a partner and sponsor of SiberX, is participating in the siberXchange Live Summit this week to showcase new opportunities in autonomous vehicle and cybersecurity research. 

Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

Hangzhou, one of the major tech hubs in China, is planning to permanently use the tracking system developed to fight the COVID-19 outbreak.

The city’s health commission declared that the permanent version of the contact tracing system would be a “‘firewall’ to enhance people’s health and immunity” after the COVID-19 pandemic.

The contact tracing app was developed by Tencent and Alibaba and is mandatory, it implements a “triage” system based on the travel history of the citizen.

The app is currently mandatory and assigns users green, yellow, or red status. Residents who visited COVID-19 hot spots or that were in contact with infected individuals, would be given a red code and be asked to quarantine for 14 days. Residents in good health status and had no contact with infected individuals cases are given a green code and could move without any restriction around the city.

COVID-19 contact tracing system

The app is already used by one billion people and the codes it generates have been scanned more than nine billion times.

“According to Qiu Yuepeng, vice president of Tencent and President of Tencent Cloud, since the official version of the health code was launched on February 9, Tencent’s health code has covered more than 20 provinces and more than 400 cities and counties in the country, covering more than 1 billion people.” reads the post published by Tencent. “The total number of visits exceeded 26 billion, and the cumulative number of code visits exceeded 9 billion.”

The Hangzhou’s Health Commission aims to permanently use the system that would assign users a health score ranging from 0 to 100 based on different factors, such as their medical records, physical examinations, and habits (e.g. steps they walk, or hours they sleep or make sport daily).

Clearly privacy advocates fear that the contact tracing system could improve the dragnet surveillance implemented by the Chinese government to monitor its citizens.

Facial recognition technology is widely adopted in China where the government already uses the social credit system to monitor citizen’s online behaviour and assigns a “citizen score.”

Pierluigi Paganini

(SecurityAffairs – COVID-19, contact tracing system)

The post Hangzhou could permanently adopt COVID-19 contact-tracing app appeared first on Security Affairs.

Coronavirus-themed attacks May 17 – May 23, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 17 to May 23, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 19 – Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

May 22 – Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

May 23 – Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 17 – May 23, 2020 appeared first on Security Affairs.

Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

Researchers from Vipre Labs observed a spike in the use of GuLoader in COVID-19-themed campaign since March 2020.

GuLoader

The discovery confirms that crooks continue to use COVID-19 lures in malspam campaigns. In the campaign monitored by Vipre Labs, attackers used spam email samples containing GuLoader.

The GuLoader is a popular RAT that appeared in the threat landscape in 2019 and that was involved in other COVID-19 campaigns, it is written in VB5/6 and compressed in a .rar/.iso file. 

GuLoader is usually employed in spam campaigns using bill payments, wire transfers or COVID lures.

In the last campaign observed by experts, the downloader utilizes cloud hosting services to keep the payload encrypted.

“This malware downloader utilizes cloud hosting services like Microsoft OneDrive or Google Drive to keep its payload encrypted. Also, GuLoader is used to download Remote Access Trojan (RAT) or files that allow attackers to control, monitor, or steal information on the infected machine.” reads the analysis.

The malware implements anti-analysis techniques, such as an anti-debugger. In order to achieve persistence, GuLoader creates a folder in which to place a copy of itself and modifies a registry key.

Now the loader implements process hollowing and use the child processes to download, decrypt, and map the payload into memory.

Common payloads downloaded by the loader are Formbook, NetWire, Remcos, Lokibot, and others.

The analysis published by Vipre Labs includes technical details about the threats, including Indicators of Compromise (IoCs).

In early March, experts at MalwareHunterTeam uncovered a COVID-19-themed campaign that was distributing the GuLoader malware to deliver the FormBook information-stealing Trojan.

The campaign was using emails that pretend to be sent by members of the World Health Organization (WHO).

Pierluigi Paganini

(SecurityAffairs – COVID-19, malspam)

The post Experts observed a spike in COVID-19 related malspam emails containing GuLoader appeared first on Security Affairs.

Canada still lacks cybersecurity ‘street smarts’ says CIRA director

While the federal government combats hostile foreign intelligence services seeking the country’s biggest secrets, hackers and fraudsters are keen on cashing in on the fear the novel coronavirus has created, targeting both individuals and businesses across Canada. The air duct folks are offering “special” air filters to protect from COVID-19, and “financial advisors” are offering…

Strategies for successfully reopening after COVID-19

The thoughtful CIO will give priority to planning for fully reopening the organizations after the COVID-19 pandemic has subsided. The new normal in the new world will not be the old normal. The changes will go well beyond customer and staff expectations for personal safety in places of business. Successful organizations in the post COVID-19…

COVID-19 accelerates telehealth adoption

The meteoric growth in telehealth adoption during the COVID-19 pandemic is a case study in how a crisis can trigger overcoming barriers to the adoption of technology and process improvements. The issues and solutions are applicable to most information technology implementation projects. Telehealth is the use of information and communications technology to deliver health care…

Adam Levin Discusses Covid-19 Scams on CNBC

Adam Levin was featured on CNBC where he discussed how the Covid-19 pandemic has created an ideal environment for scammers.

“We are working with our children and home schooling. We’re sharing devices with our children. We’re trying to juggle work and family. But to a hacker, we are their day job,” said Levin.

The post Adam Levin Discusses Covid-19 Scams on CNBC appeared first on Adam Levin.

Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

Spear-phishing is a rapidly emerging threat. It’s more specific than generic phishing attempts and often targets a single person or company. Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers. 

Cybercriminals Capitalizing on the Chaos

The coronavirus is forcing companies in most industries to operate substantially differently. Many may find it takes time to adjust to the changes. Others do not immediately have the resources for a major shift, such as having all employees work remotely. 

A related concern is that COVID-19 is both a new and anxiety-inducing issue. People want to learn as much as they can about it, and their haste may result in them clicking on links without thinking. Cybercriminals view these conditions as ideal for orchestrating their attacks. Data from Barracuda cybersecurity researchers identified a 667% increase in spear-phishing attacks between the end of February and the following month. 

Real-Life Examples of Spear-Phishing Attacks in the Energy Production Sector

The threat of spear-phishing for energy companies is, unfortunately, not a theoretical one. Coverage published in late April by Bitdefender illuminated a carefully executed attack. The research team found evidence of a campaign occurring March 31, whereby hackers impersonated a well-known engineering company with experience in on- and off-shore energy projects. 

The messages — which did not include many of the telltale signs of phishing like spelling and grammatical errors — asked recipients to submit equipment and materials bids for the Rosetta Sharing Facilities Project. Participants would do so on behalf of Burullus, a gas joint venture partially owned by another Egyptian state oil brand. 

The emails also contained two attachments, which were supposedly bid-related forms. Downloading them infected a user’s system with a type of trojan spyware not previously seen in other utilities industry cyberattacks. The effort targeted oil companies all over the world, from Malaysia to South Africa, in a single day. 

Bitdefender’s research team also uncovered a more geographically specific spear-phishing attempt to target the gas sector on April 12. It centered on a relatively small number of shipping companies based in the Philippines. The emails asked them to send details associated with an oil tanker vessel and contained industry-specific language. This spear-phishing campaign occurred over two days. 

The cybersecurity experts that studied these attacks stressed that, since the messages contained accurate details about real-life companies and events associated with the oil industry, the attackers took the time to research to craft maximally convincing content. 

Hackers Love Causing Severe Disruptions

Why are cyberattacks in the energy industry suddenly on the rise? One reason may stem from the way hackers often deploy tactics to cause tremendous harm to necessary services. The oil industry operates on a vast scale. For example, a company specializing in oil and gas exploration planned as much as 300,000 feet of total footage for drilling in one region during 2018. 

The ability to get such impressive outcomes undoubtedly helps oil companies. The increased scale also may make it more necessary to safeguard against cyberattacks, especially as criminals look for ways to cause the most damage. Another recent incident, announced in a United States government alert on February 18, shut down a natural gas compression facility. Operations stopped for two days, causing losses in productivity and revenue. 

Although the publication did not name the energy company, it mentioned that the hackers depended on spear-phishing to get the credentials necessary for entering the businesses’ information technology (IT) network. It then used that access to wreak havoc on the enterprise’s operational technology infrastructure. 

Not a New Concern

Utilities industry cyberattacks have long worried cybersecurity analysts. If concentrated efforts from hackers shut down the electric grid, the effects could be long-lasting and hit virtually every industry and consumer in the affected areas. The risks to the energy sector began before the coronavirus pandemic, too. 

In November 2019, cybersecurity publications discussed a ransomware attack on Petróleos Mexicanos, Mexico’s largest oil and gas company. The perpetrators asked for 562 bitcoins to restore the data. The affected enterprise did not comply, and it had important data backed up. 

Toll Group, an Australian transportation and logistics company with oil and gas companies as clients, suffered a ransomware attack this spring. It was the second such issue in four months, with the first happening in February. 

The Energy Industry Must Remain Vigilant

The challenges posed by COVID-19 and its effect on oil prices may make the respective parties feel the impacts of cyberattacks in the energy industry more acutely. An ideal aim is to prevent those events rather than dealing with the damage afterward. Paying attention to cybersecurity vulnerabilities can help companies make meaningful gains and stay protected.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Hackers Target Oil Producers During COVID-19 Slump appeared first on Security Affairs.

Podcast Episode 7: The Perimeter Really Is Gone – CIS Controls and COVID-19 with Tony Sager

Tony Sager, Senior Vice President and Chief Evangelist at CIS (Center for Internet Security) joins us to discuss the best approaches to the changing security landscape in the wake of COVID-19. Tony is a lifelong defender, with more than 44 years of experience. He spent most of his career at the NSA and now leads […]… Read More

The post Podcast Episode 7: The Perimeter Really Is Gone – CIS Controls and COVID-19 with Tony Sager appeared first on The State of Security.

International Fraud Ring Stealing Unemployment Funds

Several state governments have been targeted by a sophisticated fraud campaign that has likely siphoned millions of dollars in unemployment payments earmarked for the record number of Americans seeking benefits as a result of the pandemic, a new Secret Service memo warns.

According to an internal memo, a group of Nigeria-based criminals have been filing phony unemployment claims in multiple states using a personally identifying information (PII), specifically stolen or compromised Social Security numbers. The information being used was most likely procured through various forms of identity theft and/or known data breaches and compromises.

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” stated the memo

The fraud campaign comes in the wake of a massive increase in unemployment as a result of the Covid-19 pandemic. State unemployment offices are vulnerable to this kind of fraud as they scramble to get funds to Americans in need as quickly as possible.

The Secret Service has identified Washington as the primary target of the fraud campaign, but has seen “evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, and Florida,” according to the memo. 

The post International Fraud Ring Stealing Unemployment Funds appeared first on Adam Levin.

Coronavirus-themed attacks May 10 – May 16, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 10 to May 16, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 12 – Zeus Sphinx continues to be used in COVID-19-themed attacks

The Zeus Sphinx banking Trojan continues to evolve while receiving new updates it is employed in ongoing coronavirus-themed scams. 

May 13 – Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

May 14 – China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

May 16 – Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

May 16 – QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in COVID-19-themed phishing campaign, crooks promise victims COVID-19 tax relief.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 10 – May 16, 2020 appeared first on Security Affairs.

Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post Microsoft is open-sourcing COVID-19 threat intelligence appeared first on Security Affairs.

QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief.

Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign. The operators behind the campaign use COVID-19 lure promising victims tax relief.

The phishing messages use Trojan sample associated with a file named “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar,” experts from MalwareHunterTeam noticed that the malicious code was only detected by ESET AV.

The QNodeService Trojan is written in Node.js and is delivered through a Java downloader embedded in the .jar file, Trend Micro warns. 

“Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.” reads the analysis published by Trend Micro.

“The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.”

QNodeService is able to perform a broad range of activities, such as download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management. The malware can also steal system information including IP address and location, download additional malware payloads, and exfiltrate stolen data. The actual malware only targets Windows systems, but experts believe that developers are working to make it a cross-platform threat.

The Java downloader is obfuscated via Allatori in the bait document, the malware downloads the Node.js malware file (either “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”) and a file called “wizard.js.” 

Either a 32-bit or 64-bit version of Node.js is dropped depending on the Windows system architecture of the target machine. 

The wizard.js file is an obfuscated Javascript (Node.js) file used to acheve persistence by creating a “Run” registry key entry and for downloading another malicious payload.

One of the most interesting feature implemented by the QNodeService malware is the support for an “http-forward” command, which allows attackers to download files without directly connecting to a victim’s PC. 

“Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16.” continues Trend Micro. “However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.”

Trend Micro researchers included Indicators of Compromise (IoCs) in their report.

Unfortunately, Coronavirus-themed attacks continue to target individuals, businesses, and organizations worldwide.

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post QNodeService Trojan spreads via fake COVID-19 tax relief appeared first on Security Affairs.

Digital transformation accelerated in a post-COVID world

I’m working across more than 100 global non-profit programs pro bono and thus have deep insights of the world currently and post-COVID.  What is happening is the rapid acceleration of the 4th Industrial Revolution into Society 5.0—taking 3 years rather than 10. For example, digital integration in healthcare expected by 2030 is happening now. In…

Fake Canada website among many using COVID-19 relief offers to phish for credentials

With governments around the world making billions of dollars available for COVID-19 financial relief, criminals are making every effort to take advantage. That includes building phony official coronavirus relief templates for websites to trick victims into giving up sensitive personal information.

Among the sites discovered by security vendor Proofpoint are the bilingual Government of Canada site pages that attempt to get credentials from victims in either English and French. The news is part of a blog released Friday that also details phishing financial relief pages for the U.S. Internal Revenue Service, the U.K. Revenue and Customs and the official registration site for France.

 

Screenshot by Proofpoint of fake Canada COVID-19 relief page

The goal of the Canadian site is to capture social insurance numbers, which are valuable for creating fake IDs.

“This spoof is noteworthy because while it copies the behaviour of the Canadian government website effectively, it does not match the look and feel of the current Canadian government website,” Proofpoint notes. “The malicious template correctly copies the name of Canada’s revenue ministry in English and French, Canada Revenue Agency and Agence du revenu du Canada respectively. However, the layout, colours, and branding of the malicious template do not match that of the legitimate Canadian government website.”

Fake websites would be created for people doing internet searches for financial relief programs. They would also be the landing pages for links in a mass email and text campaigns previously outlined in our Cyber Security Today podcasts.

Proofpoint screenshot of fake UK COVID-19 relief page

Proofpoint says it’s found more than 300 different COVID-19 campaigns since January across nearly every industry it tracks. The creators include well-known, established threat actor groups and unknown individuals.

Creation of Covid-19 phishing landing pages increased sharply in early March, peaking around the beginning of April and then sharply dropping off, says the blog. That plunge probably is caused by a combination of saturation for COVID-19 payment theme phishing templates and a move towards other COVID-19 themes as many one-time payments were disbursed, Proofpoint believes.

“It’s clear threat actors follow trends closely,” the blog adds. “We’ve seen throughout the COVID-19 situation how threat actors have followed the news and adapted their themes to match the unfolding public narrative. The movement by governments in particular to offer financial support has caught the attention of threat actors who have moved not only to target those funds directly but to use them as themes for their malware and credential phishing attacks.”

 

Surveys show conflicting support by Canadians for COVID-19 tracing app

Canadian governments are planning to approve COVID-19 mobile contact tracing apps to help health authorities track the spread of the infectious disease. However, two recent surveys offer conflicting numbers on whether residents here want the apps to be voluntary or mandatory.

The issue is crucial: Health experts say wide adoption of an app — perhaps as much as 50 per cent of the population — is needed for it to be useful.

In the most recent survey, released this morning by KPMG Canada, 55 per cent of respondents said digital contact tracing should be voluntary, citing privacy concerns and potential abuse of civil liberties. Two-thirds of respondents said they wouldn’t download such an app, calling it still “too invasive.”

Yet 57 per cent of respondents don’t believe such an app would be effective unless it is mandatory.

On the other hand, a survey commissioned by three Canadian Senators released last week found 65 per cent of respondents support the mandatory use of contact tracing apps.

However, in an interview one of those senators acknowledged the question on mandatory/voluntary adoption may not have been neutral. And Canadian privacy expert Ann Cavoukian said the Senate survey question “has no validity.” (See below for more detail)

Most privacy experts around the world say COVID contact tracing apps must be voluntary to get widespread adoption. That’s the position of federal and provincial privacy commissioners as part of a statement of principles they urge governments here follow on tracing apps. Alberta, the first Canadian jurisdiction to release an app, has made its adoption voluntary. But some privacy experts worry that if adoption is low a government will be tempted to make it mandatory.

Despite Alberta jumping the gun, federal and provincial officials are looking at about a dozen proposed apps for approval.

Related:

Skepticism from a Canadian panel

A number of contact tracing apps are being developed around the world, some — like Alberta’s — based on one of the earliest developed by Singapore. Broadly speaking, tracing apps use Bluetooth to capture encrypted ID signals from closeby mobile devices that also have an app, usually with a time limiter. (For example, Alberta’s app won’t obtain an ID number unless a person is nearby another for a total of 15 minutes over 24 hours). Depending on the app, each mobile device holds a list of contacts for a set number of days.

Depending on the app, one of two things happens if a person tests positive for COVID-19: Either the list of encrypted digital IDs is uploaded by the user so a health authority can notify and trace those who have been in contact with the victim, or the app transmits an alert directly to the apps of those on the list for those users to see. Either way, recipients of warnings would be expected to take appropriate steps, such as notify their doctors, monitor their health or take a COVID-19 test.

KPMG Canada surveyed 2,000 Canadians online between May 7 and 12. 

Among the highlights:

  • 62 per cent of respondents are in favour of letting the government use location tracking to send phone alerts to people who have come into contact with a person infected by COVID-19;
  • 82 per cent would be more comfortable with an app run by the health system that shows aggregate community “hot spots” for COVID-19 so they can make their own decisions about their health;
  • 65 per cent say any contact-tracing program needs to be administered by an independent body from the provincial or federal government.

“It’s clear that Canadians understand that contact-tracing apps are effective if participation is high, but the design of such apps must limit threats to privacy as most people aren’t comfortable letting the government have free rein to track their phones,” Sylvia Kingsmill, partner and national digital privacy leader for KPMG, said in a statement. “To make this work, governments will need to be completely transparent on how data will be collected, stored, erased, and managed – it’s about trust.

“There should be clarity about the circumstances under which that data will be shared, now and in the future. To this end, policies should be implemented and enforced to prevent misuse and/or abuse of the data to provide assurances to the public that principles of accountability and data minimization are being respected.”

The Senate’s online survey of 1,530 respondents was commissioned by Senators Colin Deacon, Donna Dasko and Rosemary Moodie and conducted between May 2 and May 4.

Among the findings:

  • In the absence of a vaccine or treatment for COVID-19, 90 per cent of respondents believe that it will be necessary to continue contact tracing in general (that may or may not include an app).
  • 80 per cent of respondents support the use of mobile device data by public health officials to notify those who have
    been close to someone who has tested positive for COVID-19.
  • 87 per cent of respondents believe contact tracing apps should trigger testing of themselves and others.
  • If assured that their data was kept confidential, large numbers of Canadians would share information from contact tracing apps with their physician (96 per cent), their family (95 per cent), public health officials (91 per cent) and health researchers (87 per cent). Fewer would share with employers and co-workers (75 per cent), other government officials (73 per cent), law enforcement (68 per cent), and social media platforms (35 per cent).
  • 65 per cent of respondents support the mandatory use of contact tracing apps.

[UPDATE, May 14, 3:30 pm EST]: In an interview this afternoon, Senator Colin Deacon acknowledged the question on mandatory/voluntary use of an app may not have been fair. The question was: “In some countries the installation of this app is mandatory. How supportive would you be for this to be the case in Canada.” Twenty-three per cent were very supportive and 42 per cent were somewhat supportive.

Asked if he thought that was a loaded question, Deacon said “potentially it is … I don’t know that it does. It asks, ‘What are your thoughts.'”

When it was suggested a neutral question would be ‘Should adoption be mandatory or voluntary,’ Deacon said, “That’s a fair point.”

Some experts object to the use of a mobile contact tracing app on privacy grounds, saying any system that collects personal data puts a user at risk. However, Deacon said the use of a contact tracing app has to be looked at as an aid to COVID-19 infection control. He said any approved app must protect privacy first. But, he added, many critics use smartphones and social media and manage access to their data. “As long as the [contact] data doesn’t leave your phone” except to notify people they should get tested “I don’t see how that is any more invasive” than people who test positive for the virus have to tell health authorities who they have recently been in close contact, with, he said.

“Alongside this strong support for the use of contact tracing apps, we do find concerns about personal privacy and the security of personal data,” said a report that analyzed the Senate survey findings. “Accordingly, any roll-out of an app(s) will require robust privacy protection to be in place in a manner that earns the support of potential users of the app.”

A contact tracing app could help health authorities who do manual contact tracing he said. It’s “unsustainable” to have large numbers of Canadians at home and not working because of the virus.

Former Ontario privacy commissioner Ann Cavoukian denounced the Senate survey mandatory adoption question. “It’s crazy,” she said in an interview. “It’s so skewed. To me this [question and result] has no validity … It creates the myth that the app is going to be mandatory,”

To her, the response to the KPMG Canada survey question is more credible.

Asked how an app should be introduced in Canada, Cavoukian urged governments to follow the Apple/Google framework, which doesn’t send the mobile IDs gathered by an app to health authorities for decryption and follow-up with individuals. Instead, when a user tests positive for COVID-19 they instruct the app to send a warning direct to those with a similar app whose mobile ID has been connected. That’s why Apple and Google have recently changed the description of their framework from a contact tracing app to “exposure notification,” she said.

(This story has been updated from the original by adding comments by Senator Colin Deacon and Ann Cavoukian)

China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal research related to treatments and vaccines for COVID-19.

“The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the threat to COVID-19-related research. The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors.” reads the joint alert. “These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”

“The F.B.I. and the Department of Homeland Security are preparing to issue a warning that China’s most skilled hackers and spies are working to steal American research in the crash effort to develop vaccines and treatments for the coronavirus. The efforts are part of a surge in cybertheft and attacks by nations seeking advantage in the pandemic.” reported The New York Times.

“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” reads a statement from the FBI and the CISA.

“China’s efforts to target these sectors pose a significant threat to our nations response to COVID-19”.

The US agencies recommend targeted organizations to adopt cybersecurity best practices to prevent state-sponsored hackers from stealing COVID-19-related material.

“What else is new with China? What else is new? Tell me. I’m not happy with China.” President Trump commented. “We’re watching it very closely,”.

“China’s long history of bad behavior in cyberspace is well documented, so it shouldn’t surprise anyone they are going after the critical organizations involved in the nation’s response to the Covid-19 pandemic,” said Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency. He added that the agency would “defend our interests aggressively.”

The Chinese Government rejected the allegation Beijing on Monday.

“We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence,” Foreign Affairs ministry spokesman Zhao Lijian said.

The Chinese government is not the only one interested in COVID-19 research, nation-state hackers from Russia, Iran, and North Korea are launching spear-phishing and misinformation campaigns in the attempt to target organizations and scientists involved in the vaccine research.

Last week the US and the UK issued a joint alert to warn of the rise in cyber attacks carried out by foreign states against healthcare organizations and researchers.

This is my interview on the topic at TRT World

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post China-linked hackers are attempting to steal COVID-19 Vaccine Research appeared first on Security Affairs.

Magellan Health Ransomware Attack Exposes Customer Data

In the wake of an April ransomware attack, Fortune 500 healthcare company Magellan Health announced that a hacker exfiltrated customer data.

The ransomware attack was first detected by Magellan Health April 11, 2020, and was traced back to a phishing email that had been sent and opened five days earlier. Subsequent investigation revealed that customer data had been exfiltrated prior to the deployment of the ransomware.

“The exfiltrated records include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords,” stated the company in a letter sent to affected individuals.

This incident comes months after the company announced several of its subsidiaries had been targeted by phishing attacks that resulted in the compromise of the health information of more than 55,000 members.

 

The post Magellan Health Ransomware Attack Exposes Customer Data appeared first on Adam Levin.

Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

Microsoft has discovered a new COVID-19 themed phishing campaign targeting businesses with the LokiBot Trojan.

Lokibot was already employed in Coronavirus-themed campaigns, early of April, security experts at FortiGuard Labs discovered phishing attacks using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.

COVID-19 themed phishing campaigns recently observed by Microsoft was using messages with subject lines like “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020.”

The LokiBot data stealer is able to collect information from tens of different web browsers, access to browsing data, locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

One of the phishing campaigns observed by Microsoft sees attackers pretending to be from the Centers for Disease Control (CDC), the messages promise latest information on the COVID-19 pandemic and a new “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020”.

Another campaign use messages that pretend to be from a vendor asking for updated banking information to process payments due to the COVID-19 virus lockdown.

The emails in both campaigns use ARJ attachments that contain malicious executables disguised as PDF files.

The choice of password-protected ARJ files aims at bypassing some security solutions. Upon opening the enclosed files, the infection process will start to finally deliver the LokiBot Trojan.

Microsoft pointed out that its Microsoft Threat Protection’s machine learning algorithms were able to detect the campaign, Microsoft users are automatically protected by the Microsoft Defender.

“Microsoft Defender’s advanced detection technologies, including behavior learning and machine learning, started blocking this attack right away. We used deeper analysis of the blocked attacks, which helped us to identify the end-to-end campaign detailed,” Tanmay Ganacharya, director of security research of Microsoft Threat Protection, told BleepingComputer.

“We see a lot of benefits of leveraging machine learning and we are in a very unique position here at Microsoft because of the quality and diversity of our 8.2 trillion signals we process daily through the Microsoft Intelligent Security Graph.” 

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Crooks continues to use COVID-19 lures, Microsoft warns appeared first on Security Affairs.

Work From Home For Rest Of Year? Some Tech Companies Say “Yes” – Forbes

Love it or hate it, the work from home trend will continue as countries battle against COVID-19. In fact, many prominent tech companies say their employees will be working from home for the rest of the year.  Here’s what you need to know – and what it might mean for you: Google: While employees who…

COVID-19 Scam Roundup – May 11, 2020

Digital attacks continue to exploit coronavirus 2019 (COVID-19) as part of their malicious operations. On May 5, 2020, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) along with the United Kingdom’s National Cyber Security Centre (NCSC) published a joint alert in which they revealed that they had witnessed APT actors targeting […]… Read More

The post COVID-19 Scam Roundup – May 11, 2020 appeared first on The State of Security.

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues.

Based in Germany, the Fresenius Group includes four independent businesses: Fresenius Medical Care, a leading provider of care to those suffering from kidney failure; Fresenius Helios, Europe’s largest private hospital operator (according to the company’s Web site); Fresenius Kabi, which supplies pharmaceutical drugs and medical devices; and Fresenius Vamed, which manages healthcare facilities.

Overall, Fresenius employs nearly 300,000 people across more than 100 countries, and is ranked 258th on the Forbes Global 2000. The company provides products and services for dialysis, hospitals, and inpatient and outpatient care, with nearly 40 percent of the market share for dialysis in the United States. This is worrisome because COVID-19 causes many patients to experience kidney failure, which has led to a shortage of dialysis machines and supplies.

On Tuesday, a KrebsOnSecurity reader who asked to remain anonymous said a relative working for Fresenius Kabi’s U.S. operations reported that computers in his company’s building had been roped off, and that a cyber attack had affected every part of the company’s operations around the globe.

The reader said the apparent culprit was the Snake ransomware, a relatively new strain first detailed earlier this year that is being used to shake down large businesses, holding their IT systems and data hostage in exchange for payment in a digital currency such as bitcoin.

Fresenius spokesperson Matt Kuhn confirmed the company was struggling with a computer virus outbreak.

“I can confirm that Fresenius’ IT security detected a computer virus on company computers,” Kuhn said in a written statement shared with KrebsOnSecurity. “As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relevant investigating authorities and while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”

The assault on Fresenius comes amid increasingly targeted attacks against healthcare providers on the front lines of responding to the COVID-19 pandemic. In April, the international police organization INTERPOL warned it “has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid.

On Tuesday, the Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert along with the U.K.’s National Cyber Security Centre warning that so-called “advanced persistent threat” groups — state-sponsored hacking teams — are actively targeting organizations involved in both national and international COVID-19 responses.

“APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities,” the alert reads. “The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for many victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to pressure victim companies into paying up.

Security researchers say the Snake ransomware is somewhat unique in that it seeks to identify IT processes tied to enterprise management tools and large-scale industrial control systems (ICS), such as production and manufacturing networks.

While some ransomware groups targeting businesses have publicly pledged not to single out healthcare providers for the duration of the pandemic, attacks on medical care facilities have continued nonetheless. In late April, Parkview Medical Center in Pueblo, Colo. was hit in a ransomware attack that reportedly rendered inoperable the hospital’s system for storing patient information.

Fresenius declined to answer questions about specifics of the attack, saying it does not provide detailed information or comments on IT security matters. It remains unclear whether the company will pay a ransom demand to recover from the infection. But if it does so, it may not be the first time: According to my reader source, Fresenius paid $1.5 million to resolve a previous ransomware infection.

“This new attack is on a far greater scale, though,” the reader said.

Update, May 7, 11:44 a.m. ET: Lawrence Abrams over at Bleeping Computer says the attack on Fresenius appears to be part of a larger campaign by the Snake ransomware crooks that kicked into high gear over the past few days. The report notes that Snake also siphons unencrypted files before encrypting computers on a network, and that victims are given roughly 48 hours to pay up or see their internal files posted online for all to access.

Getting Zoom Security Right – 8 Tips for Family and Friends

If you’ve read a newspaper or watched the news in the past few weeks, you’ll notice one common topic that all the major news outlets are discussing… COVID-19. Right now, many companies are trying to provide employee guidance during this worldwide pandemic, as governments ask those who can to work from home in an effort […]… Read More

The post Getting Zoom Security Right – 8 Tips for Family and Friends appeared first on The State of Security.

Maze Ransomware Targets the Hospitals and Labs Fighting Coronavirus

“Never let a good crisis go to waste.” These wise words have been recently attributed to former Bill Clinton Chief of Staff Rahm Emanuel, though Freakonomics actually dates it back to 1976 and a completely different context. Regardless of who first uttered the phrase or some permutation of it, modern-day cybercriminals have taken the candid […]… Read More

The post Maze Ransomware Targets the Hospitals and Labs Fighting Coronavirus appeared first on The State of Security.

COVID-19 Scam Roundup – May 4, 2020

Malicious actors continue to abuse coronavirus 2019 (COVID-19) as a lure to profit off of innocent people. Indeed, Arkose Labs found that 26.5% of all transactions recorded in Q1 2020 were fraud and abuse attempts—a 20% increase over the previous quarter and the highest attack rate ever observed by the security firm’s researchers. It’s therefore […]… Read More

The post COVID-19 Scam Roundup – May 4, 2020 appeared first on The State of Security.

Cybercriminals Are Exploiting the Covid-19 Pandemic

Cybercriminals are actively targeting Covid-19 hotspots with malware and phishing campaigns, according to a new report from Bitdefender.

The report, “Coronavirus-themed Threat Reports Haven’t Flattened the Curve,” shows a direct correlation between confirmed Covid-19 cases and malware attacks exploiting the crisis.

These findings confirm a similar report that showed a 30000% increase in Covid-19-themed attacks from January to March.

“Countries that have reported the largest number of Coronavirus-themed [scams] seem to have also been those hit hardest by the pandemic,” the report stated, showing a concurrent increase in both confirmed cases and malware attacks in South Africa in April as an example.

Data from the Bitdefender report also indicated a connection between an increase in phishing campaigns in areas where testing for Covid-19 has become available.

“[W]e can safely infer that people who get tested are interested in learning more about potential treatments, medicine, medical best practices, and maybe even other patient’s experiences… those spending more time online looking for information about COVID-19 are more likely to fall prey to scams and malware related to Coronavirus,” the report stated. “Receiving an email claiming to have new and interesting information about the pandemic with more exclusive information embedded within the attachment is the perfect lure.”

Read the full report here.

The post Cybercriminals Are Exploiting the Covid-19 Pandemic appeared first on Adam Levin.

How Cybercriminals are Weathering COVID-19

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

FUELED BY MULES

One of the more common and perennial cybercriminal schemes is “reshipping fraud,” wherein crooks buy pricey consumer goods online using stolen credit card data and then enlist others to help them collect or resell the merchandise.

Most online retailers years ago stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. These restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe — derisively referred to as “reshipping mules” — to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

A screen shot from a user account at “Snowden,” a long-running reshipping mule service.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

“One Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes,” Intel 471 observed. “Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).”

Still, every dark cloud has a silver lining: Intel 471 noted many cybercriminals appear optimistic that the impending global economic recession (and resultant unemployment) “will make it easier to recruit low-level accomplices such as money mules.”

Alex Holden, founder and CTO of Hold Security, agreed. He said while the Coronavirus has forced reshipping operators to make painful shifts in several parts of their business, the overall market for available mules has never looked brighter.

“Reshipping is way up right now, but there are some complications,” he said.

For example, reshipping scams have over the years become easier for both reshipping mule operators and the mules themselves. Many reshipping mules are understandably concerned about receiving stolen goods at their home and risking a visit from the local police. But increasingly, mules have been instructed to retrieve carded items from third-party locations.

“The mules don’t have to receive stolen goods directly at home anymore,” Holden said. “They can pick them up at Walgreens, Hotel lobbies, etc. There are a ton of reshipment tricks out there.”

But many of those tricks got broken with the emergence of COVID-19 and social distancing norms. In response, more mule recruiters are asking their hires to do things like reselling goods shipped to their homes on platforms like eBay and Amazon.

“Reshipping definitely has become more complicated,” Holden said. “Not every mule will run 10 times a day to the post office, and some will let the goods sit by the mailbox for days. But on the whole, mules are more compliant these days.”

GIVE AND TAKE

KrebsOnSecurity recently came to a similar conclusion: Last month’s story, “Coronavirus Widens the Money Mule Pool,” looked at one money mule operation that had ensnared dozens of mules with phony job offers in a very short period of time. Incidentally, the fake charity behind that scheme — which promised to raise money for Coronavirus victims — has since closed up shop and apparently re-branded itself as the Tessaris Foundation.

Charitable cybercriminal endeavors were the subject of a report released this week by cyber intel firm Digital Shadows, which looked at various ways computer crooks are promoting themselves and their hacking services using COVID-19 themed discounts and giveaways.

Like many commercials on television these days, such offers obliquely or directly reference the economic hardships wrought by the virus outbreak as a way of connecting on an emotional level with potential customers.

“The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services,” the report notes. “These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.”

Brian’s Club — one of the underground’s largest bazaars for selling stolen credit card data and one that has misappropriated this author’s likeness and name in its advertising — recently began offering “pandemic support” in the form of discounts for its most loyal customers.

It stands to reason that the virus outbreak might depress cybercriminal demand for “dumps,” or stolen account data that can be used to create physical counterfeit credit cards. After all, dumps are mainly used to buy high-priced items from electronics stores and other outlets that may not even be open now thanks to the widespread closures from the pandemic.

If that were the case, we’d also expect to see dumps prices fall significantly across the cybercrime economy. But so far, those price changes simply haven’t materialized, says Gemini Advisory, a New York based company that monitors the sale of stolen credit card data across dozens of stores in the cybercrime underground.

Stas Alforov, Gemini’s director of research and development, said there’s been no notable dramatic changes in pricing for both dumps and card data stolen from online merchants (a.k.a. “CVVs”) — even though many cybercrime groups appear to be massively shifting their operations toward targeting online merchants and their customers.

“Usually, the huge spikes upward or downward during a short period is reflected by a large addition of cheap records that drive the median price change,” Alforov said, referring to the small and temporary price deviations depicted in the graph above.

Intel 471 said it came to a similar conclusion.

“You might have thought carding activity, to include support aspects such as checker services, would decrease due to both the global lockdown and threat actors being infected with COVID-19,” the company said. “We’ve even seen some actors suggest as much across some shops, but the reality is there have been no observations of major changes.”

CONSCIENCE VS. COMMERCE

Interestingly, the Coronavirus appears to have prompted discussion on a topic that seldom comes up in cybercrime communities — i.e., the moral and ethical ramifications of their work. Specifically, there seems to be much talk these days about the potential karmic consequences of cashing in on the misery wrought by a global pandemic.

For example, Digital Shadows said some have started to question the morality of targeting healthcare providers, or collecting funds in the name of Coronavirus causes and then pocketing the money.

“One post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation,” the company wrote. “A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was ‘cruel,’ they found themselves in an ‘extremely difficult financial situation.’ Responses to the proposal were mixed, with one forum user calling the plan ‘amoral,’ and another pointing out that cybercrime is inherently an immoral affair.”

Maintaining POS Device Security and Cleanliness


With the global spread of COVID-19, awareness about the potential risks associated with touching public-facing surfaces has intensified. Many merchants are working harder than ever to protect their customers by frequently cleaning common touch points in their stores. One of these common surfaces is the point-of-sale (POS) payment terminals where customers swipe or dip their payment card and potentially enter a PIN to confirm their purchase.

Unproven Coronavirus Therapy Proves Cash Cow for Shadow Pharmacies

Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help combat the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

A Google Trends graph depicting the incidence of Web searches for “chloroquine” over the past 90 days.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Muskbegan suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine suddenly were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

Recent 30-day sales figures from the pharmacy affiliate program PharmCash.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

An ad promoting various unproven remedies for COVID-19, from the pharmacy affiliate program Rx-Partners.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program.

But the boost in sales from the global chloroquine frenzy would be short-lived. Demand for chloroquine phosphate became so acute worldwide that India — the world’s largest producer of hydroxychloroquine — announced it would ban exports of the drug. On Mar. 25, India also began shutting down its major international shipping ports, leaving the pharmacy affiliate programs scrambling to source their products from other countries.

A Mar. 31 message to affiliates working with the Union Pharm program, noting that supplies of Aralen had dried up due to the shipping closures in India.

India recently said it would resume exports of the drug, and judging from recent posts at the aforementioned affiliate site gofuckbiz[.]com, denizens of various pharmacy affiliate programs are anxiously awaiting news of exactly when shipments of chloroquine drugs will continue.

“As soon as India opens and starts mail, then we will start everything, so get ready,” wrote one of Rx-Partners’ senior recruiters. “I am sure that there will still be demand for pills.”

Global demand for these pills, combined with India’s recent ban on exports, have conspired to create shortages of the drug for patients who rely on it to treat chronic autoimmune diseases, including lupus and rheumatoid arthritis.

While hydroxychloroquine has long been considered a relatively safe drug, some people have been so anxious to secure their own stash of the drug that they’ve turned to unorthodox sources.

On March 19, Fox News ran a story about how demand for hydroxychloroquine had driven up prices on eBay for bottles of chloroquine phosphate designed for removing parasites from fish tanks. A week later, an Arizona man died and his wife was hospitalized after the couple ingested one such fish tank product in hopes of girding their immune systems against the Coronavirus.

Despite many claims that hydroxychloroquine can be effective at fighting COVID-19, there is little real data showing how it benefits patients stricken with the disease. The largest test of the drug’s efficacy against Coronavirus showed no benefit in a large analysis of its use in U.S. veterans hospitals. On the contrary, there were more deaths among those given hydroxychloroquine versus standard care, researchers reported.

In an advisory released today, the U.S. Food and Drug Administration (FDA) cautioned against use of hydroxychloroquine or chloroquine for COVID-19 outside of the hospital setting or a clinical trial due to risk of heart rhythm problems.

7 Common Questions about CPEs During COVID-19


Continuing professional education is an important component of PCI SSC Qualification. Staying up to date, even during the COVID-19 pandemic, with the latest knowledge, techniques, and insights helps support the Program Participant’s ability to effectively conduct the tasks and responsibilities associated with a PCI SSC Qualification.

How to Keep Your Video Conferencing Meetings Secure

Guest Post by By Tom Kellermann (Head Cybersecurity Strategist, VMware Carbon Black)

The sudden and dramatic shift to a mobile workforce has thrust video conferencing into the global spotlight and evolved video conferencing vendors from enterprise communication tools to critical infrastructure.

During any major (and rapid) technology adoption, cyberattackers habitually follow the masses in hopes of launching an attack that could lead to a pay day or give them a competitive advantage. This has not been lost on global organisations’ security and IT teams, who are quickly working to make sure their employees’ privacy and data remains secure.

Here are some high-level tips to help keep video conferencing secure.

Update the Application
Video conferencing providers are regularly deploying software updates to ensure that security holes are mitigated.  Take advantage of their diligence and update the app prior to using it every time.

Lock meetings down and set a strong password
Make sure that only invited attendees can join a meeting. Using full sentences with special characters included, rather than just words or numbers, can be helpful. Make sure you are not sharing the password widely, especially in public places and never on social media. Waiting room features are critical for privacy as the meeting host can serve as a final triage to make sure only invited participants are attending. Within the meeting, the host can restrict sharing privileges, leading to smoother meetings and ensuring that uninvited guests are not nefariously sharing materials. 

Discussing sensitive information
If sensitive material must be discussed, ensure that the meeting name does not suggest it is a top-secret meeting, which would make it a more attractive target for potential eavesdroppers.  Using code words to depict business topics is recommended during the cyber crime wave we are experiencing.

Restrict the sharing of sensitive files to approved file-share technologies, not as part of the meeting itself
Using an employee sharing site that only employees have access to (and has multi-factor authentication in place) is a great way to make sure sensitive files touch the right eyes only.  This should be mandated as this is a huge Achilles heel.

Use a VPN to protect network traffic while using the platform 
With so many employees working remotely, using a virtual private network (VPN) can help better secure internet connections and keep private information private via encryption. Public WiFi can be a gamble as it only takes one malicious actor to cause damage.  Do not use public WiFi, especially in airports or train stations.  Cyber criminals lurk in those locations.

If you can, utilise two networks on your home WiFi router, one for business and the other for personal use.
Make sure that your work computer is only connected to a unique network in your home. All other personal devices – including your family’s – should not be using the same network. The networks and routers in your home should be updated regularly and, again, should use a complex password. Additionally, you should be the only system administrator on your network and all devices that connect to it.

All of us have a role to play in mitigating the cyber crime wave.  Please remember these best practices the next time you connect. Stay safe online

Also related - How Safe are Video Messaging Apps such as Zoom?

How Safe are Video Messaging Apps such as Zoom?

I was privileged to be part of The Telegraph Coronavirus Podcast today, where I was asked about the security of video messaging apps.



'How safe are video messaging apps such as Zoom, and what should users bear in mind when using them?'

My reply...
Video messaging apps are an essential communication tool for at home and within businesses, especially during the COVID-19 lockdown period. They are generally safe to use but there are a few security risks which users should be aware of.

Our increased use of video messaging apps has not gone unnoticed by cybercriminals, who are seeking to exploit the increase of use by sending phishing emails, social media scam messages and even scam text messages, with fake invitations to video messaging app meetings.

Typically, these scam messages will entice you into either opening a malicious attachment or click a web link which directs to a malicious website. The ultimate aim of these cyberattacks is to deliver malicious software, such as ransomware which locks your PC and demands a ransom payment to unlock, scam a payment, or steal your personal information which can be resold to other cybercriminals on the dark web.

So, never open an attachment or click on any links within any unexpected or suspicious emails, social media messages and text messages.

The next piece of advice is to ensure your video messaging app is always kept up-to-date. Luckily most modern smartphones and computer operating systems will automatically update your apps, but it is always worth double-checking and not to suppress any app updates from occurring, as often the app updates are fixing security flaws.

And finally, on home computers and laptops, when not using video messaging apps, either cover your webcam with a piece of tape or face your webcam towards a wall or ceiling, just in case your computer is covertly compromised and a malicious actor gains access to your computer's webcam.


Additional
One tip I didn't have time to say on the podcast, is always ensure your video chats are set to private, using a strong password to prevent ZoomBombingRecent reportshave shown a series of “Zoombombing” incidents lately, where unwanted guests have joined in on open calls. 

Bharat Mistry, Principal Security Strategist at Trend Micro on Zoom advises “Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.

It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs). With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.

Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.

Risk mitigation:
The good news is that there are several things you can do to mitigate the security risks associated with Zoom. The most basic are: 
  • Ensure Zoom is always on the latest software version
  • Build awareness of Zoom phishing scams into user training programmes. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
  • Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor
Organisational preparedness:
Next, it’s important to revisit those administrative settings in the app, to reduce the opportunities for hackers and Zoombombers. Fortunately, automatically generated passwords are now switched on by default, and the use of personal meeting IDs are switched off, meaning Zoom will create a random, one-off ID for each meeting. These setting should be kept as is. But organisations can do more, including:
  • Ensure you also generate a meeting ID automatically for recurring meetings
  • Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
  • Don’t share any meeting IDs online
  • Disable “file transfers” to mitigate risk of malware
  • Make sure that only authenticated users can join meetings
  • Lock the meeting once it’s started to prevent anyone new joining
  • Use waiting room feature, so the host can only allow attendees from a pre-assigned register
  • Play a sound when someone enters or leaves the room
  • Allow host to put attendees on hold, temporarily removing them from a meeting if necessary”

Decision Making Before and During Times of Crisis:  A Parallel Between Cybersecurity Incidents and the Current COVID-19 Pandemic

The coronavirus pandemic is not only the first time in history when a biological virus also affects the cybersecurity industry (through phishing attacks and COVID-19-themed malware) but the way the breakout has been handled so far also resembles how certain IT decision-makers may react when it comes to dealing with security issues.

So far, the crisis has been approached from different angles by governments around the world. The pandemic is now causing major disruptions in the way we live and work, and perhaps, irreversibly. It is an unprecedented health and economic disaster, which puts our collective ability to respond to the test.

How prepared are governments? How about us as citizens? Why don’t we all focus on prevention rather than on dealing with the consequences?

A comparison between decision making in Cybersecurity and the COVID-19 pandemic

If you think about it, in many cases, cyber-attacks and malware behave and spread in ways similar to a pandemic. Some digital threats are even called “viruses”, after all.

But how do cybersecurity leaders generally make decisions compared with how currently government officials are dealing with the COVID-19 pandemic?

Without the intention of trying to oversimplify the complexity and severity of the COVID-19 pandemic, I’ve discovered some similarities that I would like to point out.

#1. Inaction fueled by optimism bias

Even though we like to think of ourselves as rational creatures, it’s in human nature to disregard risk associated with – well, anything…

Why? The optimism bias phenomenon is to be blamed. In short, it refers to the belief that we have lower chances of being affected by negative events than other people and that we are more likely to experience positive events than our peers.

The term was coined by Neil D. Weinstein in 1980, who through his experiment discovered that most college students thought their chances of developing a drinking problem or getting divorced were lower than that of their colleagues. Simultaneously, the majority of these students also believed that the odds of positive things happening to them (such as owning a house and growing old) were much higher.

In a recent article, Marie Helweg-Larsen, Professor of Psychology, argues that certain people are refusing to change their behavior during the current coronavirus pandemic due to optimism bias. For instance, if you don’t believe chances are you may be infected, you might think that interacting with your grandmother won’t be harmful. This way, due to the infection’s uncertainty, you tend to minimize risk.

The perception around risk can be difficult to change. But since social distancing and staying at home are now typically considered the moral thing to do, people may be more likely to change their attitude when thinking about keeping others safe (and not themselves, in particular). So, no longer focusing on your own personal risk may fuel a more protective behavior.

Obviously, not only regular citizens found themselves under the optimism bias since the COVID-19 pandemic has emerged. In the same manner, leaders around the world have been crippled by inertia and tended to underestimate the critical impact the novel coronavirus would have on their countries, healthcare systems, and the economy.

How common is optimism bias in cybersecurity?

Of course, optimism bias can also be observed in the cybersecurity field. In short, this phenomenon prevents some security leaders from taking preventative measures and therefore hinders companies from achieving a good security posture.

The results of a study revealed that security executives are indeed affected by the optimistic bias. The report concludes they thought their risk to be substantially lower than that of the companies they were compared with. Furthermore, they seemed to be aware of the existing risks, yet still can not completely grasp the magnitude of a potential accident.

The same study has shown that subjects, at the very least, acknowledged their interconnectedness with their business partners. Even though they considered themselves to be less prone to risk than other companies, they seemed to perfectly understand that they could themselves become victims due to the third-parties they partnered up with. These dangers are nowadays commonly referred to as Supply Chain Attacks or Vendor Email Compromise (VEC) threats.

How to avoid bias when building your cybersecurity strategy

Biases impact decision-making processes and obviously, the cybersecurity industry is no exception to the rule.

So, how can you, as an IT decision-maker, avoid being under the influence of cognitive biases?

Here are a few points to consider:

  • Becoming aware of optimism bias and accepting that the phenomenon is an inherent part of us as humans. This is the first step toward taking impartial, unbiased decisions.
  • Looking at real-life examples. Understanding how organizations that match your own profile were impacted by cyberattacks and analyzing how your company would react when faced with a similar scenario. Would it be prepared to deal with an attack or miserably fail? How cyber resilient is your organization?
  • Thinking about the overall positive impact of a strong cybersecurity strategy on your business. Now, organizations should not simply begin applying scare tactics upon themselves and should start realizing how threat prevention and mitigation will keep their company up and running.

#2. Testing and micro-segmentation

So far, countries that have proved to be the most successful in managing COVID-19 infections behaved the same way cyber resilient organizations do. And the ones that failed to keep the epidemic under control did not have all the prevention and mitigation measures in place.

For instance, as the epidemic was (not so) slowly increasing, Britons were encouraged to “keep calm and carry on” and let the herd immunity strategy, which was heavily criticized in the end, do the trick. Prime Minister Boris Johnson later admitted that Britain was going through the “greatest public health crisis for a generation” and started implementing some forms of social distancing measures.

After the first American case was announced in late January, when asked if he believed this would turn into a pandemic, President’s Donald Trump response was “No. Not at all. And we have it totally under control. It’s one person coming in from China, and we have it under control. It’s going to be just fine.”

In early March, Trump was still suggesting that the virus was “less serious than the flu” and reassuring people that “It will go away. Just stay calm. It will go away.” Meanwhile, the U.S. was falling behind on testing and some Trump administration officials were responding with untruths, suggesting that anyone who wanted could get tested when in reality, the shortage of testing kits was being revealed. As of March 30, 2020, the U.S. has the most confirmed COVID-19 cases in the world, surpassing China, Italy, and Spain.

In the meantime, South Korea, Singapore, and Taiwan have managed to contain the outbreak due to diligent testing and social distancing measures.

Below you can see the number of Tests conducted vs. Total confirmed cases in different countries around the world:

Along the same lines, the same testing (or monitoring) practices should be followed in cybersecurity.

Should threats remain hidden inside your organization, there will be room for lateral movement and future exploitation. However, the spread of malware infections can be stopped if you put a segmented architecture based on Zero Trust in place. This model originates from the belief that one should never trust anything inside an organization by default and should always verify everything in the first place. Zero trust networks are based upon micro-segmentation, which divides perimeters into small areas so that certain parts of your network remain isolated and have separate access. In case a data breach occurs, micro-segmentation limits further exploitation of your network.

What’s more, simply because people aren’t displaying any visible symptoms of COVID-19, that doesn’t necessarily mean they are not infected and therefore shouldn’t get tested. There have been cases of coronavirus false-negatives so far, which leaves experts worried about this type of inaccuracy amidst the outbreak.

However, even though universal testing may sound utopic due to logistical constraints and shortage of testing kits, the same should not apply when it comes to your organization’s security.

Most nations that have had a hard time enforcing social isolation rules have witnessed COVID-19 infections growing quicker. Italy, for instance, around a week ago, when around 41,000 people were infected and the outbreak was already out of control, was charging 50,000 individuals for breaking isolation laws. Fast forward another week later, the cases in Italy had almost doubled.

On the other hand, after imposing draconian lockdown measures and despite being the outbreak’s original source, China managed to flatten the coronavirus curve. They tried to proactively find infections rather than just passively wait for symptoms to develop. As you may already know, this approach is also considered a best practice in cybersecurity.

What’s more, a study has shown that as human mobility decreased in China after social distancing measures were put in place, so did new infections.

Image source: “The effect of human mobility and control measures on the COVID-19 epidemic in China”, available here

As you can see in Graph a, human mobility dropped after January 23, 2020, and was considerably lower than compared to January 2019, when cordon sanitaire (the health measures aimed at controlling the spread of the disease) was put in place for Wuhan. And after this date, the number of coronavirus cases and infection rate also started decreasing, as you can notice in the charts below:

Image source: “The effect of human mobility and control measures on the COVID-19 epidemic in China”, available here

#3. Improving your defenses and mitigating risk

During this critical period, hospitals and governments had to beef up their defenses against COVID-19. Basically, now more medical supplies than ever, such as gloves, gowns, or ventilators, have to be purchased. Needless to say, having the right number of protective equipment is vital. However, unfortunately, many countries are unprepared, even though they should have been able to see a crisis like this one coming.

“When we have done exercises in the past for pandemic preparedness, supply chain issues were a well-documented challenge”, commented Saskia Popescu, an epidemiologist focused on hospital preparedness, for Vox.com. “This is something we’ve known about — maybe not to this extent, but this isn’t a shocker. It’s more surprising that we let it get this bad.”

Knowing that disaster could strike anytime is not to be neglected.

In a similar fashion, the same reasoning can be applied to an organization’s cybersecurity. Since being aware that cyber-attacks and data breaches can linger around the corner, would you not wish to protect your digital assets in the best possible way?

Only through proactive security measures, such as staying on top of your patching or scanning your organization’s incoming and outgoing traffic through DNS filtering coupled with reactive defenses, like using a next-gen Antivirus and then extending your defenses to email security and privileged access rights management, your organization can achieve true cyber resilience.

What organizations can learn from a cybersecurity standpoint

First of all, security leaders should accept that any organization is exposed to cyber threats. After all, it’s a matter of when (not if).

Secondly, another vital step refers to testing (or in other words, gaining visibility inside your organization). This is how you can understand exactly if or which parts of your business are being affected and in case of an existing infection, be able to address it correctly. As I’ve mentioned before, micro-segmentation is recommended. Dividing your network into different security segments with fine-grained security controls will help you isolate areas and limit the spread of a potential infection.

Last, but not least, organizations should operate with a prevention-first mindset and combine proactive and reactive protection measures. Prevention is still the best cure, after all.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Bottom Line

In today’s unprecedented context, how long the COVID-19 pandemic will last is still uncertain. However, what is clear is that it has raised highly complex issues and revealed serious flaws in crisis management in many countries around the world. The outbreak only shows that we are completely unprepared to deal with it. However, it’s (probably) not too late to act now, remain optimistic, and learn how to prevent future outbreaks.

The post Decision Making Before and During Times of Crisis:  A Parallel Between Cybersecurity Incidents and the Current COVID-19 Pandemic appeared first on Heimdal Security Blog.

Working from Home Cybersecurity Guidance


Working from home comes with a range of security risks, but employees need to be educated too – human behaviour is invariably the weakest link in a company’s cybersecurity posture. In the current environment, with many more employees working at home, cybercriminals are actively looking for opportunities to launch phishing attacks and compromise the IT infrastructure of businesses, large and small. 

Guidance on Working from Home All companies should start by reviewing the home working guidance available at the UK Government’s National Cyber Security Centre (NCSC). This resource helps companies prepare their employees and think about the best way to protect their systems. Crossword has been advising a number of its FTSE clients in a range of sectors, and below is a summary of the guidance given, in addition to that from the NCSC.

Run Audio and Video calls Securely

What is visible in the background of your screen during video calls and is someone monitoring who is on the call? The same is true for audio only calls. A team member should be responsible for ensuring only invited guests are present, and calls should be locked once started, so other participants cannot join.

Educate Employees on Phishing attacks
The NCSC mentions COVID-19 related Phishing attacks which use the current crisis to trick employees into clicking on fake links, downloading malware, and revealing passwords – so educate them. These could be fake HR notifications or corporate communications; fake tax credits; fake emails from mortgage providers; free meals and mechanisms for registering for them. The list is endless and cyber criminals are very news savvy and quick to adapt. Employees are likely to be more vulnerable to phishing attacks due to people rushing, fear, panic, and urgency; all the behavioural traits that result in successful phishing attacks.

Automate Virtual Personal Network configurations (VPNs) 
IT and Security teams may have a backlog of users to set up on VPNs, to provide secure connections to corporate networks. Do not allow employees to send data insecurely, use automation to make accelerated deployments and guarantee correct configuration. Even IT staff are fallible, and the combination of pressure of work volume and working fast, may leave a gaping hole in your infrastructure.

Control the use of Personal Devices for Corporate Work
Due to the rapid increase in home workers, many employees may be using their own devices to access emails and data, which may not be covered by Bring Your Own Device (BYOD) policies. What this means in practicality, is that employee’s personal devices may not be securely configured, nor managed properly and be more vulnerable. IT and Security teams again, may need to retrospectively ensure that employees are complying with BYOD policies, have appropriate endpoint security software installed etc.

Stop Personal Email and Unauthorised Cloud Storage Use
When companies are experiencing IT difficulties in setting up employees working from home, people may be tempted to use personal emails or their personal cloud to send and store data, as a work around. These are a risk and can be easy for cyber criminals to target to gain company information or distribute malware, as they are not protected by the corporate security infrastructure.

Keep Collaboration Tools Up-to-date
Tools such as Microsoft Teams, Zoom and Google Hangouts are great, but it is important to ensure all call participants are using the latest versions of the software, and that includes partners and customers that may be on calls. Employees should also only use the corporate approved tools and versions as they will have been tested by security teams for vulnerabilities, that could be exploited by cybercriminals. 

Stuart Jubb, Consulting Director at Crossword commented: “Throughout the UK, companies are doing everything they can to ensure business continues as normally as possible as the COVID-19 situation develops. The guidance we are issuing today is a summary of the key points we have been discussing with our clients across a wide range of vertical markets. Good IT security measures are arguably more important than ever as companies become a largely distributed workforce, almost overnight. As ever though, it is not just about the technology, but good behaviour and education amongst employees as cybercriminals work to exploit any vulnerability they can find, whether that be a person, mis-configured tech, or unpatched software.”

Coronavirus Cybersecurity: Scams To Watch Out For

The Coronavirus pandemic has shocked the world in recent months, with many countries being forced to go into lockdown or encourage its nationals to self-isolate as much as possible. Many are trying to work out how to juggle working from home, caring for their children, managing their finances and looking after their health! But sadly, there’s one more thing you need to add to that list - staying safe online and watching out for scammers. 

That’s because cybercriminals have decided to take advantage of the global fear, confusion and uncertainty around the world. Plus, vast numbers of people are now working from home and this usually means they are doing so with less cybersecurity measures in place than they would have in their office. 

Malicious messages examples seen
  • email and social media messages impersonating medical expert bodies including the NHS, World Health Organization (WHO), and Centre for Disease and Control (CDC), requesting a donation to research a vaccine.
  • GOV.UK themed text messages titled 'You are eligible to get a tax refund (rebate) of 128.34 GBP
  • messages advertising protective masks and hand sanitisers from bogus websites
So, despite this being a time when we all need to pull together and help one another out, there are still scammers out there looking to cause trouble. To help keep you safe online, Evalian has compiled a list of four of the most common Coronavirus scams happening right now, so you know what to look out for. 

1. Phishing Scams 
This is perhaps the biggest scam out there right now because phishing emails can come in many different forms. Most commonly, hackers are pretending to be health officials or national authorities offering advice about staying safe during the Corona outbreak. The reality is that they are trying to trick unsuspecting individuals into downloading harmful malware or providing sensitive, personal information. 

Some of these phishing emails look really sophisticated, with one in particular being a fake email sent from the World Health Organisation (WHO), offering tips on how to avoid falling ill with the virus. Once the email user clicks on the link provided, they are redirected to a site that steals their personal information. The problem is, with so many people being genuinely worried about their health and hoping to stop the spread, many don’t suspect that these types of emails could be a scam. 

The best way to avoid falling victim to these types of phishing emails is to look for suspicious email addresses or lots of spelling mistakes. And even if the email looks pretty legitimate, it might still be worth going direct to the sender’s website instead. For example, going direct to the World Health Organisation website for advice means you can avoid clicking any links from the email. That way you can find the information you need and reduce the risk of falling victim to a cybercrime. 

Secondly, if an email asks for money or bitcoin donations to help tackle Coronavirus, don’t make any transfers. Again, if you wish to help by donating money or services, go directly to the websites of charities or health organisations to see how you can help.

It’s also worth noting, that these phishing scams can also be received as a text message or phone call. If you receive strange texts or voicemails asking for donations, giving offers on vaccines or warning you about cases in your local area, approach with caution and certainly don’t give away any of your personal details. 

2. Fake Websites
Another common scam designed to play on fear and uncertainty is the setting up of fake websites. Cybercriminals are creating Coronavirus-related websites which claim to offer pharmaceuticals or remedies for the virus such as testing kits, vaccines, and other fake health solutions. The idea is to get anxious victims to part with their bank details or to hack their computer and install malware on their systems. 

In these situations, there are some things you can do. Firstly, check if the website has a secure connection. You’ll know whether it does or doesn't by the padlock in the search bar. If there is a padlock in the search bar this means the site is secure, if there isn't, then it’s a good idea to avoid this site. Not only this but if the website is poorly designed and the text has a lot of spelling and grammatical errors, this could also be a big red flag. 

Finally, it’s also important to be aware that not many sites are genuinely going to be offering these health solutions and if they appear to be selling in-demand products at an extremely low price, then it’s most likely a scam. Remember, if it seems to good to be true then it probably is. 

3. App Scams 
Cybercriminals are also targeting smartphones and mobile devices with dedicated Coronavirus apps. These apps claim to track the spread of the virus in your local area and with many people concerned about the proximity of the virus to their home, it’s not surprising that people are willing to download such an app. 

The reality, however, is that the app then installs malware into your device and not only comprises your tech, but also all the personal information stored within it. In some cases, the app can lock victims out of their phone or tablet demanding a ransom to get back in, threatening to delete all the information, contact details and photos stored inside.

4. Fake Coronavirus Maps
Last but not least, the fake Coronavirus map scam. Similar to that of the tracking app, cybercriminals have begun circulating graphics of fake maps on which they claim to highlight where all the Coronavirus cases are in your country. These are usually sent round on social media and through email. 

Of course, these images are not meant to educate or help you in any way. In fact, the scammers include malware in the links so that once you’ve clicked to open the image this immediately infects your device. In most cases, this has been reported to be the kind of bug that can steal data such as bank details, passwords, login information and other sensitive data stored on your device. 

Look for the Red Flags 
  • Never open attachments or click on links within suspicious or unexpected emails, text and social media messages
  • Look for the suspicious signs; does the message convey a sense of urgency to perform an action?
  • Always remember legitimate organisations never ask for passwords, payment card details and sensitive data to be sent by email
In these troubling and uncertain times, you’d be forgiven for falling for a scam if you thought for one second it could help to keep you and your family safe from this virus. But sadly, there are criminals out there taking advantage of people’s anxiety. So just be aware that these scams are happening and look out for the red flags we’ve mentioned above to help you stay safe online. 

UK Payment Card Contactless Limit Increased from £30 to £45 prevent Coronavirus Spread

The contactless payment card limit for in-store card transactions in the UK will be increased from £30 to £45 from 1st April. A good move for preventing COVID-19 spread at supermarkets and petrol stations via card payment pinpads, which are impossible to keep sanitised.

Better still, everyone right now can benefit from secure MFA contactless payments with higher limits by setting up Apple Pay, Google Pay or, Samsung Pay on your smartphone.

BRC Head of Payments Policy, Andrew Cregan, said: “The last contactless limit increase to £30 took two years to implement but, given the extraordinary circumstances we face today, this new £45 limit will be rolled-out from next week. Some shops will take longer to make the necessary changes, given the strain they’re under. In the meantime, most customers can continue to make contactless payments for higher amounts using their smart phone.”