CyberWire Daily - How low can they go? A spike in Coronavirus phishing. [Research Saturday]
Episode Date: April 18, 2020As much of the world grapples with the new coronavirus, COVID-19, and how to handle it, attackers are taking advantage of the widespread discussion of COVID-19 in emails and across the web. Joining us... today is Fleming Shi, CTO of Barracuda discussing their report on these types of attacks, which are up 667-percent since the end of February. The research can be found here: Threat Spotlight: Coronavirus-Related Phishing To learn more about our Academic and Military discounts, visit The CyberWire and click on the Contact Us button in the Academic or Government & Military box. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
When we picked up on the coronavirus-related attacks, we just saw a spike, which got us to a point where we wanted to make sure people are aware because the spike is pretty severe.
That's Fleming Shi. He's chief technology officer at Barracuda Networks.
The research we're discussing today is titled Threat Spotlight, Coronavirus-Related Phishing. Some of the attacks seem to be focused on
logistics. As you know, moving medical equipment, healthcare equipment is very important during
this time. So we wanted to make sure, make some noise about it, make sure people are paying attention.
Well, let's go through what you published here together.
As you mentioned, you've got quite a spike here.
Take us through some of the numbers.
What are you tracking?
Absolutely.
So this report is covering the data that we have seen from March 1st to the 23rd. And we saw, you know, obviously hundreds of thousands of spear phishing email attacks, but we also saw about 9,000 of those are actually, it's related
to COVID-19. And to numbers that we have seen in the past, it's over 600% increase, right? So,
and if you look at this in the report, we also talk about sort of type of
attacks or intents, right? So there's scamming, brand impersonation, and blackmailing even,
and obviously some business, you know, email compromise as well. So some of these numbers
here that we have seen, we're still monitoring. So in the future, hopefully we can provide an update on this.
But generally, we saw a very large increase.
And you can see more than half is actually scams that's out there.
And, you know, even on the recent days after the report, we've seen other type of scams related to vaccines and fake treatments and things like that.
So I just wanted to cover those numbers. I believe those are very important.
And also just think through the type of attacks that's involved here.
You know, they vary, right? So, but those are the numbers.
Well, let's go through and dig in. What are some of the attacks that you're seeing?
Can you share some of the specifics with us?
Sure, absolutely. So there's an impersonation of War Health community organizations, right?
So you can see they're pretending to be, you know, War Health organization, which means people are going to pay some attention to it, especially during this kind of crisis.
There are a lot of fear driven type of attacks like that.
And the other type that I feel is really kind of low, how low can they go on the bad guy's side?
They're using like almost blackmailing, you know, saying, hey, if you don't pay ransom, we're going to infect your
relatives and your loved ones or your friends. To me, that's really kind of touching the
subject in a very aggressive way. Because, you know, Marlowe's hierarchy of needs,
first layer is really physiology. People are, you know are obviously scared of the virus and don't want to get sick.
And if you're throwing out these kind of attacks, which targets your family and friends, that is the next level of evil, right?
So I think that's really important.
Yeah, I mean, it really is remarkable how they can take advantage of everyone's fear and anxiety.
And in many ways, that short circuits our thinking process.
It keeps us from sometimes rationally thinking about the information they're sending us or the actions they're asking us to take.
Yeah. And what is really crazy as well is, well, I think somewhat predictable.
as well as, well, I think somewhat predictable.
But what they have done is in the email,
some of these blackmails or scams don't even have any links or attachments
to infect your computer or systems or your network.
But it's really about scaring you to do something.
They will present the Bitcoin information
and then you go wire or you get your Bitcoin as a ransom payment, right?
So to many ways, it's really kind of, I would say, much harder to detect because it requires
a sentiment type of detection capabilities and understanding intent of the email, less about
what link it leads to or attachments that could hurt your system with.
So it's harder to defend, but I obviously want to point that out.
But we obviously catch them, but our system catches them.
But generally, I believe people need to pay attention to that.
The other type of attack that was really, like I mentioned earlier, is pretty serious.
It's really targeted. And maybe
it's ransomware that goes into your system. One example we highlighted, it was related to
a shipment. It's related to something related to logistics, right? So imagine you have to
procure a large amount of medical equipment, you'll be tracking certain
things. This type of tax will be effective against folks who are really trying to move goods,
medical goods. In this situation, it was actually a pony stealer that sits behind a document or
attachment, an email attachment.
And obviously that's also very easy to fall for if you're in the midst of moving a lot of equipment to help people, right?
So people are getting anxious.
Yeah, one of the ones you track here, you have an example of someone using a premise
of an invoice and it reads, it says, good day with the current impact of COVID-19,
the coronavirus impact,
we would like to know the production delivery status
of our orders with you.
Kindly fill the details in the attached template
for each of the given orders,
which is pending to ship and send to us by tomorrow,
awaiting your priority cooperation.
This looks fairly run of the mill,
but by, I suppose, tossing in that COVID-19 element,
it sort of grounds it in reality. That's right. And really, it's designed to get people to open
that file and try to fill out a form or something related to that. And if you think about this,
you know, they might be targeting the supplier. They might
be targeting the folks who are actually handling the transfer of the goods, right? So all these
things are designed to cause havoc in a situation where it will slow down the response and slow down
the caretaking of victims.
Yeah.
Another thing you're tracking here is credential theft.
Can you share some of the details of that with us?
Absolutely.
So credential theft is not new, but it will start to see a spike as well.
What's really happening is they're impersonating your Office 365 or your logging your SaaS apps, logging infrastructure
where you when you are clicking on a link to get into the app, it will actually hijack that by
mimicking your logging screen for your application from there. Obviously, this is hosted on the
attacker side. It's not something that's truly Office 365.
They just made a copy of it, screen scrape, and making it look as real as possible.
From there, they will harvest your username and your credentials because you will be typing username and password if you're not careful.
So in this situation, actually, the best defense is MFA. So if you always turn on your
multi-factor for all the SaaS applications, regardless if you lose your password, there's a
second factor to actually authenticate the user to get into the app. This is really important.
So a lot of times we have seen attacks utilizing legitimate infrastructure like Google API, for example. It's infrastructure being
weaponized multiple times. People actually host Office 365 logging app in there and they're
harvesting. So obviously, we always report to folks at Google, but it's important to pay
attention because these things do come up
quite rapidly. They bring it down once they finish their campaign. So it's important to pay
attention to where you're logging into. In this case, you can see the URL doesn't look normal.
Now, on the detection side of the equation here with the types of tools that you and other providers are making available, are these attacks, are these attempts just variations on established themes? Are they still getting flagged as some of the tried and true things that you all are used to detecting or are they new from the outset?
The ones that's really fresh or basically more effective
are the ones that is using intent or fear-driven type of attacks, right?
There's no links, there's no attachments,
scanners that sandboxes the email or the parts of the email
is not going to be able to detect there's a malicious payload, for example.
Right. It's really about the intent that's involved in the conversation.
And some of these conversations are really, especially during the COVID-19 situation, it's fear driven.
So the people are going to naturally take action a little bit more aggressively.
more aggressively and based on that requires a type of overused term by AI driven capabilities to actually identify whether this communication is normal or not. And this goes around whether
the user have seen this email or the type of conversation that's happening, is that normal?
And this is really done by providing a really strong social graph type of
capability to understand your user community who they communicate with how do they communicate and
when do they communicate and what type of topics and from there we were able to sift through you
know normal emails as well as attacks and identify the the ones that's really malicious
so i think the key here is to have a solution that's additive to normal advanced threat
protection type of uh solution you have or tool you have right doesn't matter you know it doesn't
have to be barracuda you could have microsoft, you know, has Defender, they have different type of ATP as
well and other vendors, but you need something on top of that to really detect the intent and
really the reason why this email came about and what is being talked about. So that's really the
tough part. And I suppose also there's an element of this that's communication with your employees to just have awareness that these sorts of things are on the rise and they need to be extra vigilant.
You're absolutely right.
And so one of the advice that's being given is that we're practicing social distance between human beings, right?
We should also practice social distance between your devices.
The reason for that is that you may be using your personal email or personal application that's not related to work,
and you need to keep that segmented or separated from your professional tools because not every personal email has the capability
that basically allows you to stop this type of threat. So that type of attack
could infect your tools for your work.
Our thanks to Fleming Shi from Barracuda Networks for joining us.
The research is titled Threat Spotlight, Coronavirus-Related Phishing.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.