Threat Intelligence Briefing: Pandemic Fallout Strains Cybersecurity and Resilience

As the COVID-19 pandemic continues to rage, it is adding to and reshaping the cyber risks companies face, putting the very notion of cybersecurity and resilience under significant strain.

This was the stark assessment delivered during Mimecast’s Q3 2020 Threat Intelligence briefing for North America, the UK and EMEA. The cybersecurity experts presenting the Oct. 27 briefing singled out several key developments and their implications:

• In response to the coronavirus and the surge in remote computing that has come in its wake, four out of 10 businesses are accelerating their moves to the cloud.
• The work from home phenomenon spawned by COVID-19 will outlive the pandemic, with 84% of businesses indicating that they are likely to maintain work-from-home initiatives even after the health crisis subsides.
• Increased cloud adoption gives cybercriminals a larger attack surface — more ways to get in — as they seek to penetrate their targets’ networks.
• Human error, already the biggest contributor to cyber risk at most companies, has become an even bigger factor, as the sudden spike in remote work has increased the likelihood of a network misconfiguration and employees working from home are more prone to mistakes.

As the threat level rises, Mimecast experts emphasized that email remains the entry point for almost all blended attacks. “Email connects your employees to your business,” noted Thom Bailey, Sr. Director, Product/Strategy at Mimecast and one of the briefing presenters, “but it also connects them to organizational risk.”

Blended threats consist of multipronged attacks against networked computers. They use a mix of viruses, worms, trojans and other types of malicious code and are designed to propagate quickly. During the latter part of October, the Mimecast Threat Intelligence Center detected a large spike in these types of attacks of up to 10 million a day. This included:

• A 26.3% rise in spam emails and other opportunistic attacks
• A 35.6% increase in email-delivered malware
• A 55.8% leap in malicious URLs embedded in emails
• And a 30.3% jump in impersonation attempts via email

Cyberattackers Play Off the Confusion Caused by COVID-19

To disarm their intended victims, many of these attacks play off of the confusion caused by COVID-19. For example, the subject line of a recent impersonation email identified by the Threat Intelligence Center read “RE: COVID-19 Update.” The email was purportedly sent by the target company’s IT service desk, and the body of the message explained that the IT team had completed its scheduled post-COVID maintenance and that a number of applications, including a new staff directory and access to employee pay slips, were now available. Employees were then directed to click on a link to an SAP COVID-19 update page to complete their registrations.

The link opened an official-looking Outlook Web App registration page, which required users to enter their email address, username and password. This, of course, was the information that the attacker was after. A close inspection of the email would have revealed that the URL for the link was actually a bit.ly address that disguised the link’s true destination, but this was something that a harried employee, distracted by children, spouses or some other element in their home environment, could easily have overlooked.

To stampede their targets, many such emails attempt to impart a sense of urgency, explained Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast and another of the briefing presenters. Common ploys include messages that appear to come from the intended victim’s boss or CEO, and emails that arrive late on a Friday afternoon with a request to close out a particular project before quitting work for the weekend.

Attempting to take advantage of the current work landscape, ransomware attacks have also soared during the pandemic. In another type of blended threat, Addison explained that the ransomware code is often delivered using Emotet, a type of Trojan spread primarily via Word file attachments contained in phishing emails. Since July, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) reports that it has detected roughly 16,000 alerts related to Emotet activity.[i]

“Emotet is difficult to combat,” according to CISA, “because of its ‘worm-like’ features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.”

Defending Against Emotet

To deter Emotet and similar email-borne attacks, CISA recommends adhering to a series of best practices that include:

• Scanning for and removing suspicious email attachments, along with ensuring that any attachment is its "true file type" and that the file extension matches the file header.
• Blocking email attachments commonly associated with malware, such as .dll and .exe files.
• Blocking email attachments that try to circumvent malware detection, such as .zip files. Or confirming that your email security system can handle .zip files.
• Implementing an antivirus program and a formal patch management process.
• Using filters at the email gateway and blocking suspicious IP addresses or web domains.
• Implementing a Domain-Based Message Authentication, Reporting & Conformance (DMARC) enforcement.
• Disabling file and printer sharing services, or — if these services are required — using strong passwords or Active Directory authentication.
• Enforcing multifactor authentication.
• Monitoring users' web browsing habits and restricting access to suspicious or risky sites.
• Limiting employees’ access to information that isn’t expressly required to perform their duties.

During the threat briefing, the Mimecast experts urged security staff to reconsider their risk assessments and adopt practices similar to those recommended by CISA. In addition, Mimecast’s Bailey observed that security personnel will often concentrate their efforts on protecting members of the company’s executive staff, who typically have greater access to critical information. In reality, however, attackers frequently go after junior employees, who are less experienced and can be duped more easily into surrendering their network credentials. To offset this, Bailey suggested that companies provide all of their employees with regular cybersecurity awareness training as an additional best practice.

The Bottom Line

COVID-19 and the spread of work from home has led to greater reliance on email and the web — but this has also resulted in new waves of email-based cyberattacks. To counter these, companies need to reconsider their relatedsecurity measures and provide their entire employee population with cybersecurity awareness training on an

[i] “Alert (AA20-280A) Emotet Malware,” Cybersecurity & Infrastructure Security Agency