As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
On May 4, a new report released by Palo Alto Networks underscored the seriousness of these threats. Palo Alto reviewers searched for domain names using the keywords “coronav, covid, ncov, pandemic, vaccine and virus,” and found approximately 1.2 million new domain names that have been registered in the past few months. On average, 1,761 new malicious or high-risk COVID-19 related domains were created daily, with the United States hosting the vast majority of them. According to the report, 86,607 of those domain names were deemed high-risk or malicious. Of those names, 2,829 were hosted in public cloud applications, which allows attackers to leverage cloud resources to avoid detection and amplify attacks. With the recent surge in reliance on cloud applications by businesses and individuals operating remotely, these threats leave end users and the applications themselves highly exposed to exploitation by malicious actors.
Similarly, on May 5, the United States Department of Homeland Security (“DHS”), the Cybersecurity and Infrastructure Security Agency (“CISA”), and the United Kingdom’s National Cyber Security Centre (“NCSC”) released an updated joint-alert underscoring these risks. The announcement, AA20-126A: APT Groups Target Healthcare and Essential Services, builds on the first such joint-warning by CISA and NCSC in early April, which sounded the alarm on opportunistic COVID-19 security threats. Tuesday’s announcement reiterated the danger of new domain names, phishing, malware distributions, and attacks on new, quickly deployed remote access infrastructure. Healthcare entities and organizations, pharmaceutical companies, medical research groups, governments, and academia remain at heightened risk because of their highly-sought stores of personal information and sensitive coronavirus related data, intellectual property, and state-interested intelligence information. According to the alert, malicious actors are increasingly exploiting complex global supply chains, where security weaknesses in one place can be an entry point to access more highly-protected targets. They also use vast, brute force “password spraying campaigns”, which according to the FBI, give malicious actors access to entire IT systems and clouds, with less risk of detection. These tactics, like the pandemic itself, are rapidly evolving. Businesses, organizations and individuals should continue to be vigilant and take preventative security measures wherever possible. We will continue to monitor coronavirus-related cyber security threats.