News for the cybersecurity community during the COVID-19 emergency: Thursday, April 16th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Scams, remote work, and COVID-19 disinformation.
Law enforcement increases its warnings as COVID-19-themed cybercrime continues to spike.
CPO Magazine notes that the US Federal Bureau of Investigation (FBI) has "stepped up its efforts to notify the public" of criminal attempts to take advantage of the coronavirus emergency. The Bureau has increased the frequency of its alerts. It only issued nine during all of last year; it's already issued four during March and April. Not all of these deal directly with COVID-19 (one in March, for example, was a warning about human trafficking) but it does seem that the tempo of cybercrime engendered by the pandemic has moved the FBI in the direction of more frequent public engagement than had been the norm.
Business email compromise (BEC) attempts now regularly seek to exploit the confusion and improvisation that surround many organizations' response to the pandemic. Trustwave's Spider Labs has an interesting rundown of how some of these scams are shaping up during the state of emergency. As remote work has become common, emailed instructions are also likely to become common, and so are more likely to be acted on. The current BEC trend is to use a spoofed email address to do such things as ask for gift cards that will enable the apparent sender to buy masks or other protective equipment locally, arrange a wire transfer to settle invoices, change direct deposit information (the employee after all can't get into the office to do it in person), and so on. Organizations would do well to look to ways in which the policies and procedures that protect them against BEC can be adapted to the circumstances of remote work.
Trends in COVID-19-themed cybercrime.
We've seen that criminals have stepped up attacks (ransomware attacks in particular) against the healthcare sector. They've also increased their attempts against financial services. Both sectors share a common feature: their data are particularly valuable. VMware Carbon Black has seen ransomware spike 148% during the pandemic, and ransomware is now routinely accompanied by data theft. Financial services have been heavily affected: by March the sector was targeted in 58% of all attacks.
Zoom's current travails.
More large companies have banned the use of Zoom. TechRadar reports that Siemens has joined Standard Chartered Bank in telling its employees to avoid using the teleconferencing service.
Zoom hasn't been idle. In its latest move to shore up security the company has brought in Luta Security to run a revamped bug bounty program. ZDNet observes that Luta's Katie Moussouris has tweeted a greeting to others she indicates are joining Zoom's advisory team. In addition to Alex Stamos, whose appointment has been known for several days, she indicated in a tweet that she'd be joined by, as ZDNet lists them, "privacy expert Lea Kissner (former Global Lead of Privacy Technology at Google), cryptographer and Johns Hopkins professor Matthew Green, and three well-known security auditing firms—BishopFox, the NCC Group, and Trail of Bits."
So should organizations use Zoom or not? Forbes offers sensible advice: If data privacy and security are paramount, then no. If, however, affordability and ease-of-use are more important than locking down your data, then Zoom isn't a bad choice. So if your office is holding a virtual happy hour, go ahead and Zoom happily. If you need to discuss PII, trade secrets, or (heaven forfend) classified information, then seek elsewhither.
Security, post-pandemic.
One of the things organizations are learning is what sort of work can be done remotely. It's likely that some of the habits being built up now will persist beyond the current emergency. FCW, for one, thinks that a great deal of the surge in telework the US Department of Defense is seeing may well turn into a permanent way of doing business.
Disinformation and the pandemic: an Iranian contribution.
Chinese operators have been the most active purveyors of disinformation during the COVID-19 emergency, but other actors haven't been idle either. Graphika reports that an Iranian threat group, the International Union of Virtual Media (IUVM, a front operation), has been active in pushing the line that the coronavirus had its origins in a US biowar program. "The IUVM operation is significant and manned by a well-resourced and persistent actor, but its effectiveness should not be overstated," Graphika cautions. Their reach has been limited, attracting only around 3000 followers, the Verge notes.
But persistent they have been. The group's accounts have been the repeated target of takedowns by Facebook, Google and Twitter, but they continue to reappear. Their line is generally pro-Iranian and pro-Palestinian; anti-US, anti-Israel, anti-Turkey, and anti-Saudi. Like much Chinese disinformation (and unlike much Russian disinformation), the Iranian efforts aim at persuading an audience to specific set of views, and not merely at disruption. On the principle of the enemy of my enemy is my friend, the IUVM has been heavily engaged in repeating stories that tend to Beijing's advantage. They generally praise China's response to the epidemic, dismiss criticism of Beijing as "psychological warfare," commend China's contributions to international emergency relief, and even praise China's business acumen in using the crisis as an opportunity to buy low and sell high.
State surveillance and COVID-19 phishbait.
Researchers at Lookout have seen a change in approach on the part of a group that appears to be operated by the Syrian government's domestic security apparatus. It's been active since 2018 at least, and recently it's begun prospecting Syrians with COVID-19 phishbait to induce them to install SpyNote, SandroRat, AndoServer, or SLRat surveillance tools. Some of the bait takes the form of bogus apps. One is a bogus digital thermometer, because what better to have on a worried person's phone than a thermometer that can warn them of the onset of a fever?
MFA and VPN usage is up.
Ping Identity sees an increase in the use of multi-factor authentication. "Obviously," they said in an email, "this has been caused by the remote workforce in the wake of the pandemic."
- "In Europe, MFA daily user count increased by 71% and daily authentication count increased by 76% from mid-February to the first week of April."
- "In North America, MFA daily user count increased by 47% and daily authentication count increased by 33% from mid-February to the first week of April."
- "Over 15,000 new PingID (MFA) users since WFH was instituted (10% increase)."
- "Over 280,000 additional MFA step-ups per week due to VPN usage (31% increase)."
There's a similar story to be told about virtual private networks (VPN). Open VPN has encountered what it called, on the CyberWire Daily Podcast, a "tsunami" of demand for its services since the pandemic emergency began.