COVID-19 attack campaigns target hardest hit regions, research shows

Attackers continue to exploit people’s fears about the COVID-19 pandemic to increase the success rate of their malicious campaigns, including in the enterprise space. New research from security companies shows that cybercriminals are focusing their attacks on countries and regions that were hit hardest by the coronavirus and on industry verticals that are under major economic pressure.

With many employees now working from home, often from personal devices, the risk of malware infections and credential compromises is significantly higher. Companies should take steps to ensure that remote access to their corporate applications and data is carefully monitored, follows least privilege principles and is done from secure devices using multi-factor authentication (MFA).

A surge in COVID-19-related domains

According to a new report from Palo Alto Networks, over 1.2 million domain names containing keywords related to the COVID-19 pandemic have been registered between March 9 and April 26. Of those, more than 86,600 were classified as risky or malicious with high concentrations hosted in the United States (29,007), Italy (2,877), Germany (2,564) and Russia (2,456). On average, 1,767 new malicious COVID-19 themed domains are being created every day.

“During our research, we noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains,” the Palo Alto researchers said. “This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective.”

CDNs reduce latency and improve website performance by directing website visitors to their nearest regional edge server. Those edge servers deliver cached versions of the sites, which takes the load off their origin servers. Attackers can take advantage of this performance enhancing behavior for cover, hiding their malicious websites among legitimate ones and making it harder for defenders to block them. That’s because blacklisting the IP address of a CDN edge server in a firewall will also block non-malicious domain names that point to the same server.

Another consequence of using CDNs and cloud-based hosting services is that domain names are configured with multiple DNS A records that point to several IP addresses. This is done for redundancy but also to direct computers to the nearest server when they perform DNS lookups. This, too, makes it hard to block malicious websites by IP address, since they can point to different ones depending on the client’s geolocation.

“A blacklisted IP in a layer 3 firewall may fail to block the traffic to/from a malicious domain while unintentionally making many other benign domains unreachable,” the Palo Alto researchers said. “A more intelligent layer 7 firewall is necessary to inspect the domain names in the application layer and selectively pass or block sessions.”

The company’s data shows that 2,829 malicious COVID-19 domains were hosted in public clouds, or around 5% of the total. This number is relatively low, which could be because cloud providers have more rigorous screening, but it does show that some attackers are willing to take that risk for a better chance of not being blocked by corporate firewalls.

Cyberattacks follow the coronavirus infection trend

Security firm Bitdefender analyzed the evolution of coronavirus-themed threats throughout March and April and, based on its telemetry, found that attackers tend to focus their campaigns on countries and regions that were hit hardest by the virus.

“Countries that have the largest number of coronavirus-themed reports seem to have also been those hit hardest by the pandemic,” the company said in its report. “For example, the top countries that reported the largest number of themed-malware reports include the United States, Italy and the United Kingdom.”

When it comes to the most targeted industry verticals, attackers appear to focus on sectors that were heavily impacted by the pandemic or are trying to cope with a higher demand and a shortage of workers. During April, the most targeted verticals were retail, transportation, manufacturing, education and research, government, financial services, engineering, technology, chemicals and food and beverages. The reason why healthcare is not in the top 10 could be because the healthcare industry does not have as many players, and therefore targets, as the other sectors.

“Since this telemetry is strictly based on coronavirus-themed reports, it doesn’t exclude the possibility that healthcare and other verticals may have seen an increase in other types of malware, such as ransomware,” Bitdefender said.

The company’s telemetry shows that cybercriminals followed the coronavirus infection trends  by focusing on Europe for much of March and then turning their attention to the US in April as the number of new cases exploded there, which made it more likely for people to click on links and open attachments that offered more information about the pandemic. The phishing emails observed by Bitdefender often impersonated global organizations such as WHO, NATO and UNICEF.

“The SARS-CoV-2 (COVID-19) global pandemic is not going away any time soon and it’s likely that cybercriminals will continue exploiting and leveraging the crisis to their own advantage,” the company said. “Coronavirus-themed threats will likely continue under the form of spear phishing emails, fraudulent URLs and event malicious applications, all exploiting fear and misinformation in order to trick victims into unwillingly giving away personal, sensitive or financial information.”