The pandemic has changed business and workplace dynamics, and bad actors are using these changes to pursue new avenues of attack.

Key Points:

  • Cybergangs are playing off of the anxiety and confusion surrounding COVID-19 to launch more insidious threats.
  • Attack surfaces are expanding as businesses accelerate the move to the cloud during the pandemic.
  • To better inoculate themselves itself against these attacks, companies need a response plan, software protections and ongoing cybersecurity awareness training.

Cybercriminals are an opportunistic bunch. They’re constantly looking for new and more nefarious ways to exploit weaknesses in enterprise security. As COVID-19 wends on, spawning new waves of anxiety and confusion in its wake, bad actors are fishing in these troubled waters.

During the past few months, instances of ransomware, payment fraud, corporate espionage, intellectual property theft and disinformation campaigns have all been surging.[1] These assaults are coming on two fronts: cybergangs are sending out highly targeted emails that take advantage of pandemic-related confusion, as they simultaneously exploit new infrastructure vulnerabilities due to the recent rush to remote work.[2]

COVID, Remote Work and Cloud Adoption Have Increased Vulnerabilities

“While email and clouds are the lifeblood of the remote worker, they also extend the notion of organizational risk,” observes Thom Bailey, head of global product marketing for Mimecast. Increased cloud adoption due to the pandemic, he notes, has given cybercriminals a larger attack surface. Compounding this, the sudden influx of infrastructure changes has intensified the pressure on corporate IT, increasing the risk of network misconfigurations.

The fallout has been significant. During the third quarter of 2020, Mimecast found that the use of malicious URLs is up by nearly 60%; instances of malware have spiked by 36%; impersonation attacks have risen by 30% and spam has increased by 26%, with the vast majority of these attacks occurring via email.[3]

Although remote work and the shift to the cloud aren’t anything new, during its October 2020 Global Cyber Threat Intelligence Quarterly Briefing, Mimecast reported that 40% of organizations throughout North America and EMEA have accelerated their cloud migration initiatives in response to the pandemic. Moreover, 84% of businesses plan to maintain their COVID-related work from home initiatives even after the pandemic ends.

Aware of this, bad actors have concentrated on exploiting companies’ telework infrastructure, including known vulnerabilities in VPNs and in Microsoft’s Remote Desktop Protocol (RDP).[4] They’re also targeting the weakest link in this chain: the users.

“People working from home can be distracted,” says Bailey, “and they sometimes cut corners when it comes to cybersecurity.” It may be easier for them to check their work-related emails from the kitchen, using their personal iPad, for example, rather than going upstairs to their home office so they can read them on their company-issued laptop.

Taking advantage of this, malefactors are making greater use of blended threats. While email is typically the starting point for these attacks, they use familiar resources such as LinkedIn, Dropbox, Word and Google Docs to disseminate hidden snippets of malicious code.

Bad Actors Thriving on Fear, Uncertainty and Chaos

Bad actors rely on techniques that catch the eye of their intended targets and prey upon their anxieties about COVID and related political events.

For cybercriminals, “The current geopolitical landscape has delivered a rich array of opportunities,” explains Philip Hay, Head of TI Analysis at Mimecast. “These include COVID, the U.S. presidential election, Brexit, economic issues, government policy changes and more. These create uncertainty that the threat actor is looking to exploit.”

For instance, a recent malicious email purported to offer valuable insider information about President Trump’s condition after he was infected by the coronavirus. A link led to a Google Docs page, which included a second link to download a Java file. An Emotet Trojan was embedded within the file, and once downloaded it began searching for passwords stored in the target’s web browser. It also downloaded another piece of malware that searches out banking credentials.

Impersonation and COVID-related Phishing Attacks

Other COVID-related phishing attacks rely on impersonation. They try to make it appear as if the email originated with a Microsoft team member, a healthcare authority or even the CEO of the intended victim’s company.[5] They might also use subject lines that play on the recipient’s curiosity. Here are some recent examples:

  • Message from the Centers for Disease Control and Prevention
  • Coronavirus (2019 nCoV) Safety Measures from the World Health Organization
  • Important Changes to Corporate Policy in Regard to COVID-19
  • Click here for Coronavirus-related information
  • COVID 19 Preparation Guidance
  • Covid-19 in your area? Please confirm your information
  • COVID-19 Virus Tracker

“Since these messages appear to be from someone the target knows or another trusted source, it increases the odds that the attack will work,” notes Kiri Addison, Head of Data Science at Mimecast. To pressure the victim into responding quickly, she adds, some emails will include an urgent work-related request and arrive late on Friday, just before the start of the weekend.

To better shield against these attacks, Addison suggests that companies begin by surveying the cybersecurity tools, policies and protections they currently have in place and conducting a detailed gap analysis. Other safeguards include the use of multi-layered security software, updating systems routinely with the latest security patches, mandating the company-wide use of multi-factor authentication, performing regular backups, putting a clear-cut and definitive response plan in place, and conducting ongoing employee education and training. This last step may be the most important, she says, “because once employees become savvy about phishing emails, they don’t click on them.”

The Bottom Line

Cybercriminals are taking advantage of COVID-19, the sudden surge in work from home and  current political events to lure their targets into clicking on email links that download Emotet and other malware. This calls for greater preparedness on the part of companies, including response plans, software protections and cybersecurity awareness training.

[1]COVID-19 Exploited by Malicious Cyber Actors,” Cybersecurity and infrastructure Security Agency, UK.

[2]Threat Intelligence Briefing: Pandemic Fallout Strains Cybersecurity and Resilience,” Mimecast.

[3]Global Cyber Threat Intelligence Quarterly Briefing - October 27, 2020,” Mimecast.

[4]COVID-19 Exploited by Malicious Cyber Actors,” Cybersecurity and infrastructure Security Agency, UK.

[5]Phishing Campaigns Mimic Microsoft Teams, HHS COVID-19 Vaccine Tracker,” Health IT Security.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

COVID-19 and the Dire Need for E-Discovery

The COVID-19 pandemic has created new le…

The COVID-19 pandemic has created new legal risks that make … Read More >

Allan Halcrow

by Allan Halcrow

Contributing Writer

Posted Nov 11, 2020

Cybersecurity and the New Work from Home Normal

Now that work from home is the new norma…

Now that work from home is the new normal, security professi… Read More >

Bill Camarda

by Bill Camarda

Contributing Writer

Posted Oct 15, 2020

Anatomy of a Sustained BEC Attack on Microsoft 365 Users

Cyberattackers lurked in victims’ …

Cyberattackers lurked in victims’ Microsoft 365 email … Read More >

Megan Doyle

by Megan Doyle

Contributing Writer

Posted Nov 17, 2020