During the third week of March, when COVID-19 was first forcing states to issue stay-at-home orders, reporter Lawrence Abrams from Bleeping Computer reached out to several ransomware groups and asked whether they would refrain from attacking healthcare systems during the pandemic. The fear was that these groups, which extort money from companies by infiltrating and encrypting their computer systems, effectively locking people out, would take advantage of the situation to levy cyber threats and attacks against hospitals and medical research facilities just when they were most overwhelmed — and therefore most likely to pay.
A few of the organizations responded. The group behind Maze ransomware said that it would “stop all activity versus all kinds of medical organizations until the stabilization of the situation,” while another assured Abrams that “we are not enemies of humanity … our goal is money, not harm.”
Despite promises from a few ransomware organizations, Interpol’s cybercrime team reported “a significant increase” in attacks targeting “key organizations and infrastructure” fighting the pandemic.
Unfortunately, there are plenty of cybercriminal organizations willing to take their place. Despite promises from a few ransomware organizations, Interpol’s cybercrime team reported “a significant increase” in attacks targeting “key organizations and infrastructure” fighting the pandemic, including COVID-19 phishing emails.
One case Interpol intercepted in April involved an order for 10 million face masks that health authorities in Germany paid for that never materialized, which the perpetrators pulled off using compromised emails and a fake website for a medical supply company.
Taking advantage of current events is standard cybercriminal operating procedure. Many cyberattacks require some type of action from the victim — such as clicking on a link in a phishing email or on a malicious website. Like marketers, cybercriminals scale up engagement by associating an attack with something a lot of people will be interested in, increasing the number of people who will ultimately click on it.
A global pandemic presents the perfect opportunity, because people are anxious for information about what is going on and how they should be preparing. At the same time, well-meaning individuals and organizations have spun up new websites to map the spread of COVID-19, to chart changing statistics about testing and death rates, to consolidate information about helpful resources, and to direct customer traffic toward struggling restaurants and businesses.
These sites were shared widely by news organizations and over social media. Because most of these websites were brand new, it was easy for attackers to spin up similar, malicious ones and direct traffic there instead.
Those in the cybersecurity community could see the threat coming, and some started to form volunteer groups to try and prevent the attacks. One group that formed, the COVID-19 Cyber Threat Coalition (CTC), consists of a global team of volunteers, many with experience in the cybersecurity industry.
A global pandemic presents the perfect opportunity, because people are anxious for information about what is going on and how they should be preparing.
Over the course of March, the coalition saw a large number of domain registrations related to COVID-19. This in itself is not necessarily a bad thing, since well-intentioned groups were also launching new sites, but the CTC determined that, out of these thousands of new domains, the majority were malicious sites.
As the pandemic stretched on, both the public’s attention and the hackers’ methods shifted. Instead of general news about the pandemic or health tips from the World Health Organization, online searches relating to COVID-19 now are more likely to be about where to buy personal protective equipment, when businesses are opening up and where to find news about stimulus packages. Over the past few months, domain registrations relating to COVID-19 have fallen, and volunteers within the CTC have been speculating on what kinds of attacks could be next.
“One of the most important things to know about phishing at any time — inside or outside the COVID-19 situation — [is that] they are going to capitalize on our fear,” said Nick Espinosa, who works in cybersecurity and heads public relations for the CTC. “As the media shifts the attention, as the next thing that is going to anger or frustrate or panic a population, that is what they’re going to capitalize on.”
One of the main ways the CTC has been trying to help is by publishing its blocklist — a list of URLs that the coalition has determined belong to malicious actors. The coalition receives 100 million indicators of compromise every day from different security feeds, which it consolidates and filters for COVID-19-related indicators. The COVID-19-related indicators that are malicious get added to the list, which is free for other organizations to make use of.
“A lot of companies will have some kind of threat detection system, whether it’s a firewall, antivirus, or a web filter,” Espinosa said. “You can program your firewall, for example, to say, ‘I’ve got a filter of known bad websites.’ Now they can also go and grab our list as well.”
More on CybersecurityInside the World of Bug Bounty Hunters
So far the coalition has been seeing a good amount of web traffic to the block list, indicating that other organizations are seeing the list and referencing it. Both the Cleveland Clinic and Denver Health are making use of it.
The blocklist is also being ingested by the Cyber Threat Alliance (CTA), an organization made up of prominent companies in cybersecurity, such as McAfee, Rapid7 and Cisco. Because the CTA is using the blocklist, all customers of companies within the CTA are also getting the benefit.
“The major threat detection systems out there now get our intelligence in real time,” Espinosa said. “So if you’re running that Palo Alto Networks firewall, for example — as they’re updating their URL filtering, our list is being adopted into that.”
“You can program your firewall, for example, to say, ‘I’ve got a filter of known bad websites.’ Now they can also go and grab our list as well.”
Another focus for the CTC is knowledge sharing and educating the public. The coalition keeps a blog where it publishes detailed weekly threat advisories with COVID-19-related cybersecurity statistics. In addition, the coalition puts out cybersecurity best practice tips that everyone is encouraged to use, “so that anybody from grandma in Idaho to a corporation has a list of cybersecurity tips and tactics to make themselves more secure, such as getting a better virus scanner, enabling two-factor authentication, basic things like that,” Espinosa said.
The CTC also has a YouTube channel where it posts recordings of CTC town halls and interviews with organizations that share their expertise and discuss how COVID-19 cybersecurity concerns have affected their normal operations. Their guests include security experts such as the CTA, but also people working on the front lines of the pandemic, such as the director of cybersecurity at the Cleveland Clinic.
The CTC collaborates over Slack and currently consists of 4,000 volunteers from different countries. Of those on Slack, a few hundred have been vetted to work on various teams in the coalition, such as the security advisory team or the media team.
“What makes us unique is that we have cybersecurity professionals, but they’re not just from cybersecurity companies,” Espinosa said. “One of the individuals running our indicators-of-compromise team is from a massive apparel company. They’re always under attack — you’d never think about a shoe and clothing outfit being under attack, but they have their own cyber team.”
The coalition has found that, when it comes to companies not traditionally associated with cybersecurity, “they’ve got a lot to contribute as well — probably in a different way than a firewall maker would,” Espinosa said. “That is going to be a real lesson for my industry going forward.”
“There are organizations out there, at least in cybersecurity, that have historically created their own ecosystems,” Espinosa said. “If we’ve got different pockets of cybersecurity all detecting something and not sharing it with the others, that’s a huge miss.”
The coalition is entirely volunteer run, and has to deal with some of the same issues as any organization that operates across a variety of countries and time zones. Coordinating meetings can be a challenge, and sometimes the team has to scramble to find members who can fill a specific need, such as finding a French-speaking team member who is comfortable conducting interviews with French media. But for those involved, it’s a labor of love.
“If we’ve got different pockets of cybersecurity all detecting something and not sharing it with the others, that’s a huge miss.”
“There’s a group of us on the steering committee that basically have dedicated ourselves to making this our second full-time jobs,” Espinosa said. “I’ve been in cybersecurity since 1998, and this is probably one of the coolest and most gratifying things I’ve ever done in my career. Everybody here is passionate about this, they are taking time from their regular lives to focus on this issue and actually execute on it. We’re actually getting these indicators of compromise, we’re actually putting out fires, we’re actually doing interviews — I’m going to look back when I retire at some point, and this is going to be one of the highlights of my career.”
For now, the coalition is looking for more volunteers.
“The most desperate need that we have is for graphic designers,” Espinosa said. “Typically when we are attracting people they’re usually of the cybersecurity ilk. But we need everybody, even if they don’t have a cybersecurity background. If they code, we need people like that — our website needs people to maintain it. Same with graphic designers. If anybody is willing to volunteer, even if it’s just to spread the word, we need everybody to help get out the word or help maintain the engine that we’ve built.”
More on SecurityWhat You Need to Know About Differential Privacy