As the COVID-19 pandemic escalates globally, businesses are facing another kind of outbreak – a rise in COVID-19 related cyber security attacks. In the past week, there have been multiple reports of hospitals, governments and businesses falling victim to cyber security attacks, often in the form of malicious pandemic themed emails. These attacks, combined with the added pressures of workforces navigating this new era of working from home, increase the risk that businesses might fall prey to malicious activity and damage.
In this article we outline the attack vectors used by hackers to gain unauthorised access and offer best practice guidance to protect against these new threats.
Phishing and malware attacks
Globally, there has been a significant increase in COVID-19 related business email compromise (BEC), credential phishing, malware, and spam email campaigns as hackers leverage vulnerabilities created by the pandemic, particularly as businesses and government organisations switch to working remotely.
In Australia, the most popular attacks have involved credential phishing via emails and text messages which:
- imitate a government or health authority such as WHO, including by using government insignia and trade marks;
- offer advice and information COVID-19 testing or other measures being taken in response to the outbreak; and
- contain a link or attached document embedded with malware.
Reported credential phishing titles include “INSIGHTS ON CORONAVIRUS”, “Latest corona-virus updates” and “UNICEF COVID-19 TIPS APP”.
Hackers have also been targeting organisations by sending out ‘companywide’ emails which purport to confirm that certain staff members have developed COVID-19. When the recipient clicks on the link or attachment, it may ask for credentials to be entered in order to gain access to a computer or network (to distribute more malicious software, or to steal personal information) or will install malware into the user’s system. Such malware may take remote control access of the computer or to harvest personal information such as banking details from the device.
Ransomware and DDOS attacks
The pandemic has seen an increase in targeted ransomware attacks on hospitals, health service providers, manufacturers and pharmaceutical companies.
Whilst there have been no reported attacks on healthcare providers in Australia, there have been attacks in the US and Europe which have caused difficulties in treating and distributing information about COVID-19 to patients.
On 10 March 2020, the Public Health Department of Illinios suffered a NetWalker ransomware attack which encrypted the organisation’s network and demanded payment for its release. It is not clear whether sensitive patient data was accessed in the attack.
The intention behind these targeted attacks is not just financial – hackers may unleash attacks to disrupt the provision of essential services and cause chaos within critical infrastructure. In a hospital, this can naturally have a devastating effect at any time, not just during a pandemic. After suffering a suspected ransomware attack, Brno University Hospital in the Czech Republic (one of the largest COVID-19 testing facilities in the country) was forced to suspend surgeries and relocate patients to other hospitals. According to reports from the hospital director, the Hospital has not been able to completely restore their systems and the hospital is unable to store and share data electronically. The source of the attack remains unclear.
In addition, the United States Department of Health and Human Services was reported to have suffered a DDoS (Disrupted Denial of Service) attack on 15 March 2020. The DDoS attack was reported to have originated from a foreign actor and although it did not force the Department’s website offline, it did cause it to slow operation.
As employees have switched to working remotely, there has been an increase in attacks attempting to leverage Microsoft vulnerabilities in Adobe and SMBv3 (a Microsoft Server Message Block), as well as fake Android applications available to download that claim to offer information on COVID-19. These applications may allow hackers to encrypt devices and hold them ransom or gather personal information of the user which can be used for malicious purposes.
Cyber hygiene tips
Whilst the cyber health of an organisation may not be main focus during these difficult economic conditions, businesses should perform a cyber audit to ensure the following steps are implemented:
- consider whether employee access to files and networks can be limited and implement restrictions;
- instruct employees to use secured home WIFI (not public WIFI), approved secured network storage and cloud services, company devices and company email accounts (not personal email accounts, particularly when handling personal information);
- implement VPN and multi-factor authentication for remote access systems and resources, including cloud services;
- ensure all devices, networks, firewalls and software have the necessary updates and security patches, and that all employees have patched their devices;
- require regular password changes; and
- continue cyber security training, particularly staff education regarding COVID-19 email and text attacks.
It is important that all cyber incident response plans are reviewed to ensure they reflect remote working. For example, contact details of key personnel who have responsibilities in the event of a cyber-attack may need to be updated to reflect remote working arrangements. Key personnel should also ensure they have a hard copy of the incident response plan at their home in the event of an attack.
Authors: Natalie Zwar and Rebecca Dunn