2020 Midyear Threat Review: COVID-19’s Impact on Cybersecurity

The year 2020 was off to a great start filled with lots of hope and new opportunities. However, with the spread of the COVID-19 pandemic, things didn’t go as exactly as planned for most people. Instead of going on trips and spending more time with loved ones, we had to stay home and even work from home. Social distancing and wearing masks has become the new norm. Likewise, businesses had to change their way of work, which brought along various security challenges.


Let’s take a close look into the top five cybersecurity threats that occurred during the first half of 2020 as a result of the COVID-19 pandemic.


1. Cyber-Attacks Exploiting COVID-19 Pandemic

When the World Health Organization (WHO) officially announced COVID-19 as a pandemic, there was an exponential increase in the number of cyber-attacks exploiting the chaos. While many organizations and businesses were busy trying to ensure business continuity, threat groups were also busy trying to benefit from the situation. One of the most reoccurring cyber-attacks was phishing emails impersonating well-known organizations, such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).


Phishing emails impersonating real organizations or officials are difficult to recognize. This is because most people often do not know the exact email addresses of the actual organization. This makes it easy for threat groups to disguise as reputable organizations, as shown in Figure 1 and Figure 2. The actual email address of WHO is who.int, but Figure 1 shows the fake email address, who.org. Would you have spotted the difference?

Figure 1. Email and Website Disguised as WHO (World Health Organization)

Figure 2. Email Impersonating CDC (Centers for Disease Control and Prevention)


2. Smishing Attacks Exploiting the Mobile-centric Environment

Smishing, which is short for SMS phishing, and voice phishing attacks have also been widely exploited during the first half of the year 2020. Commonly, threat groups sent out phishing text messages disguised as friendly greetings during special occasions and holidays.


However, with the spread of COVID-19, phishings occured more frequently. As an increasing number of people spent their time online via smartphone, there was a significant increase in the number of online shopping transactions. To make us of this situation, threat groups started to send out text messages disguised as package delivery information or tracking URL. The text message would include a URL that would redirect the user to download an APK file, which is an Android smartphone application extension. Then the file will subsequently download the malicious app developed by the attacker.


The process begins by the attacker determining whether the URL had been accessed from the phone or PC. Once identified, the attacker continues to verify the phone number before downloading their app to confirm that the user is their intended target audience. Thus, even if the URL is exposed to a malware analyst or a security vendor, the URL of the original delivery company will open, and the APK file will be prevented from downloading. This allows the attackers to proceed with the attack on other targets without being interrupted.


As we transition into a mobile-centric world, it is critical to be aware of the recent smishing attack methods to prevent being fooled.


3. Cyber-Attacks Targeting Critical Infrastructure and Organizations

Cyber-attacks against critical infrastructures and organizations continued throughout the first two quarters of 2020. One example being targeted spear-phishing attacks toward the staff of specific critical infrastructure. The attacker tricked users into downloading and executing macro-enabled word documents to steal sensitive information from the user’s PC and perform additional attacks.


There were also cases when the attacker used phishing emails disguised as safety masks or COVID-19 status-related reports to targeted various organizations by using a Zip file. When the user decompresses the file, NanCore RAT will be downloaded to collect and send important, sensitive data to the attacker by using features, such as the keylogger. The malware is also capable of shutting down the PC remotely, recording the keyboard entry values, recording a video via the webcam, and locking the PC to prevent all use. State-sponsored hackers mostly led these types of attacks, and they were commonly targeted critical infrastructures, such as the defense industry.


What these threat groups are going after is breaking down the security system to compromise the system and overtake the infrastructure to collect and steal confidential information. Their ultimate plan is to obtain information on key technologies within the critical infrastructure to come up with a plan B, in case all things fail. A lot of these attacks are reusing the same word processor file. Thereby it is important to be always cautious of suspicious email attachments and maintain up-to-date security patches.


4. Ransomware Spreading to OT Environment

One of the most significant threats existing to this day in the IT environment is ransomware. With the advent of Operational Technology (OT) in various fields, such as Smart City and Smart Factory, ransomware started to penetrate the OT environment. Among various types of ransomware, ransomware attacks targeted towards Industrial Control Systems (ICS) was most critical. One example being the LockerGoga ransomware that attacked Europe-based manufacturing companies in 2019 by encrypting their files to stop their production line.


Five significant characteristics of LockerGoga are ▲Encrypts 30 extensions only ▲Uses secure email ▲Uses valid digital signature ▲Adjusts payment amount through negotiation ▲Collects and leaks organization’s confidential information.



Figure 3. Snake Ransomware Targeting ICS


Although the concept of ransomware has been with us for quite some time, new types of ransomware are continually emerging. Snake ransomware is one example that started receiving attention from early 2020 for targeting Industrial Control Systems (ICS). Snake ransomware is known for attacking Windows-based HMI (Human-Machine Interface) machines and data storage servers to delete Windows backup file, prevent system restoration, encrypt files, and get privilege escalation. In doing so, Snake ransomware steals the Active Directory (AD) to perform malicious actions and distribute the malware.


Ransomware has expanded its target into various fields. Thus, it is vital to construct and fortify the security for fixed-function systems, such as ICS, to prevent any operational or business discontinuity.


5. Sextortion Scams

Several sextortion scams received the attention from media in early 2020. Sextortion, also known as bodycam phishing, is a form of blackmail in which criminals use fake identities to trick people into performing sexual acts online and then threaten to release the video or photo unless the victim(s) pay. In certain parts of the world, legislations were passed to prevent certain sextortion incidents from repeating itself.


As the use of online video conferencing tools increase, so does the risk of becoming a victim of sextortion. If you do become a victim of a sextortion scam, here is what you need to keep in mind. First, keep calm and delete the email regardless of its content. Even so, if there is a lingering concern regarding the video conferencing tool or webcam, consider changing the password to your account, deleting the account, or terminating the membership. Also, be sure to immediately change the password for your other social media platforms to prevent any additional attacks.



AhnLab has discussed the top 5 cybersecurity issues that occurred in 2020 ▲Exponential increase in cybersecurity threats exploiting the COVID-19 pandemic ▲Increase in smishing attacks in mobile-centric environment ▲Malware targeting critical infrastructures ▲Ransomware spreading into the OT environment ▲Sextortion scams.


Since security threats exploit various trends and social issues, users must pay close attention to all security advisories and threat intelligence provided by the government and leading security vendors.


Source: Ahnlab

This post is available in: enEnglish