COVID-19, Telecommuting and Threat Intelligence

COVID-19, Telecommuting and Threat Intelligence

How threat actors are abusing the global pandemics

In response to the COVID-19 pandemic, organisations around the world decide to adopt telecommuting. With the communication increasing due to working from home policies, threat actors are taking advantage and are even using the novel coronavirus as a lure to mount attacks. There is increasing evidence that cybercriminals are using the concerns over the virus to prey on individuals, and that working outside the secure office environments opens the door to more cyber vulnerabilities.
In this blog post, we will discuss some of the exploited vulnerabilities due to telecommuting and what can Threat intelligence help mitigating the risks.

In cybersecurity, the ability to predict future attacks even before they reach targeted networks can help organisations prioritise their responses, speeding up the decision-making process as well as response time, providing better security altogether.

The concept of intelligence is not anything new. It has been used throughout history and in many different industries: we see it in OSINT, espionage and even market research, among others.
Threat intelligence is collecting and analysing information about indicators of past, current, and future cyber threats, which enables organisations to take action to protect their assets, networks, and the entire organisation.

What is OSINT?
OSINT stands for Open Source Intelligence, and it is information collected from public sources such as those available on the Internet, although the term is not strictly limited to the Internet, but rather means all publicly available sources. “Open Source” in “OS” (from OSINT) means any publicly available source where the user can obtain the information in their intelligence data collection. It is not related to the famous Open Source movement, which actually should have been Open Source Code and does mean open-source software or products that are released with the permission to use the source code, design documents, or content of the product.

At the Secure 5G4IoT Lab (a collaboration between Oslo Metropolitan University –OsloMet, Telenor, and Wolffia), we are developing unique technology to collect and analyse large amount of data to deliver relevant cyber threat insights in real time. We aggregate this rich intelligence with any other threat data feeds, internal or external, to bring about proactive defence against any emergent threats.

While it is possible for employees to log in to the various intranets and email systems from their homes, doing so creates significant additional risks that their communications can be intercepted. The key here is that telecommuting provides threat actors new access points to communications. It is far easier to observe, intercept, or otherwise engage with protected communications when one party involved is away from the workplace and must use the Internet to access the intranet from her or his home. So even when the endpoint of the intranet is secured from intrusion and constantly monitored by security teams, the data stream being transmitted across the home Internet access is vulnerable.

Threat actors are using concerns about the COVID-19 virus to push spams out. They are rapidly evolving how they use the coronavirus-theme in their attacks. In many cases, malicious emails, targeting those working remotely, with the intention of stealing passwords or other critical information, the email lures are changing too quickly for email filters to keep up. As a result, many are reaching user inboxes.

Since January 2020, more than 5.000 coronavirus-themed web domains have popped up, with an estimate of around 5 percent were suspicious and 3 percent malicious. The websites would likely be used as part of email campaigns to lure victims to click on dangerous links. Another big vulnerability is those threat actors accessing sensitive data through Wi-Fi home networks.

What is MalSpam?
Malware Spam or MalSpam is the term used to designate malware that is delivered via malicious email messages. While regular spam is simply any unsolicited email, malspam contains infected attachments, phishing messages, or malicious URLs. It can also deliver a myriad of malware types, including ransomware, Trojans, bots, info-stealers, crypto-miners, spyware, and keyloggers. Although the first instance of a piece of malware being delivered by spam is unknown, the 1999 Melissa mass-mailing virus is recognised to be the first malware widely distributed by email.

A malspam campaign against an organisation can distribute a multi-stage infection to several target users’ endpoints. The infection chain in the attack is highly modular and the final payload can consist of a variety of remote access trojans (RATs) such as Agent Tesla, njRAT or Nanocore RAT. The attackers utilise publicly available infrastructure like Bitly, Blogspot, Pastebin, etc. (spreading over a number of accounts) to direct and host their attack components.

What is Threat Detection?
Threat Detection is the practice of analysing the whole security ecosystem of an organisation to identify any suspicious activity that could compromise the organisation’s network. If a threat is detected, then mitigation efforts must be enacted to neutralise it before it can exploit any present vulnerabilities.

This is just an example of what kind of attacks, which can be mounted against organisations with or without the COVID-19 theme. It is why most security teams are actively looking for both known and unknown threats in their organisation’s environments.

Leveraging Threat Intelligence, security teams can automate the update process of the Security Information and Event Management (SIEM), antivirus, Intrusion Detection System (IDS), email filtering mechanisms, web proxies, etc. Threat Intelligence can improve detection and response to help security teams make better decisions faster to cope with the rapid shift of the threat landscape.

CONCLUSION

It is important for an organisation to have a solid technology infrastructure established to support a high level and high volume of connectivity, so employees can work from their home and maintain established records and security requirements. There are ways to guard against the risks but unfortunately, only imperfectly. All technical systems no matter how robust must always be complemented by educational efforts and awareness training for the users.

We are a dedicated consortium of more than 50 partners (whose purpose is to lead the boosting Europe’s cybersecurity future. If you are interested in cybersecurity, make sure that you follow us on our communication channels because we will lead its future.

(By OsloMet)