aboikis - stock.adobe.com

Coronavirus threats ramp up as more hospitals come under attack

The Covid-19 Cyber Threat Coalition finds the majority of security pros have been targeted by cyber criminals exploiting the coronavirus pandemic, and adds to warnings of increased activity targeting the health sector

An 85% majority of cyber security professionals have been on the receiving end of some kind of phishing email or scam relating to the Covid-19 coronavirus, but not many seem to be landing, with 80% saying they have not seen any organisational downtime as a result.

This is according to a preview of figures to be published later this week by the Covid-19 Cyber Threat Coalition, a group of like-minded security specialists who have banded together to put a stop to cyber criminals exploiting the pandemic.

The newly established movement, which was set up as a Slack channel by Sophos’s Joshua Saxe in late March, has seen its membership balloon to more than 3,000 in barely a fortnight. Its members said they are united in their feeling that “extraordinary times call for bridging traditional boundaries to operate with unity and purpose”.

More statistics from the informal study will be revealed later in the week, but in the first of what is planned to be a series of weekly threat advisories, the group said that the most common coronavirus threats were credential phishing (33%), scams (30%) and malicious documents (18%).

The group said these results suggested that cyber criminals are taking advantage of standard patterns of attack and have simply rebranded them to take advantage of the crisis. This has been borne out by many reports from various suppliers and industry bodies in recent weeks.

The Covid-19 Cyber Threat Coalition is being supported by a number of organisations, including CloudFlare, GitHub, Nvidia, Slack and Sophos, and is still seeking contributors to join its Slack channel and help push threat intelligence data through an Open Threat Exchange group.

It has already published and is now updating a blocklist of compiled and vetted data on indicators that it believes criminal groups are using to go after their targets.

In its first weekly examination of the coronavirus security landscape, the coalition looked at threats coalescing around video conferencing and collaboration platform Zoom, the prevalence of phishing schemes profiting from the increased climate of fear and uncertainty, and the risk of ransomware attacks against hospitals and other healthcare organisations at the frontline of the fight to stop coronavirus.

Writing in this weekly update, threat intelligence researcher Allan Liska of Recorded Future said he had seen attacks on healthcare bodies by the groups behind the Ryuk and Netwalker ransomware strains in the US and Spain respectively.

Liska noted that a number of ransomware groups, including those behind both Ryuk and Sodinokibi – also known as REvil – are hunting for exposed Remote Desktop Protocol, Citrix and Pulse Secure VPN servers, which are relied on by hospitals to support remote working admin staff.

“To protect your organisation, prioritise patching of these systems, warn employees against password reuse against these publicly accessible systems and, wherever possible, enable two-factor authentication,” he wrote.

Others seem to be relying more heavily on coronavirus phishing lures, so healthcare staff should be wary of any unsolicited email that makes reference to the disease, even if it seems to have come from a reputable organisation, such as the World Health Organisation (WHO).

Liska added that many such phishing emails try to convince their targets to open a Microsoft document with malicious macro embedded, so it is important for security teams to ensure that macros are disabled.

On 6 April, Interpol said it was dealing with an unprecedented rise in ransomware attacks against the healthcare sector and warned of more to come.

The organisation’s secretary-general Jürgen Stock branded cyber criminals taking advantage of the pandemic in this way “ruthless”.

“Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths,” he said.

Joseph Carson, chief security scientist at Thycotic, said: “Scams such as urgent access requests, promises of medical equipment or latest news and treatments of Covid-19 increase the risk that medical staff are sometimes simply one click away from giving a cyber criminal access to critical systems or installing ransomware that will lock up systems until a financial payment is made, and in today’s current situation that means lives would be lost. In the cyber criminal’s mind time is money, but for medical staff time means saving lives.”

“Cyber security professionals have joined together to help hospitals with volunteer cyber defenders to help make them more resilient to such cyber attacks, and security professional peers such as Daniel Card and Lisa Forte are leading the defence for the UK NHS,” he added.

“Everything we do to keep critical systems running saves lives, and security professionals working in the background to ensure those critical systems are running at 100% are the unsung heroes right now working behind the scenes under extreme pressure and stress.”

Read more about the Covid-19 pandemic

  • Data collection has a role to play in fighting the deadly Covid-19 coronavirus outbreak, but governments need to be accountable for how it is used.
  • Campaign launched by BCS aims to recognise the importance of IT staff in keeping UK workers connected during the coronavirus crisis.
  • We talk to four top IT chiefs across the UK to find out how their teams are supporting their organisations and staff to keep working through the Covid-19 outbreak.

Read more on Hackers and cybercrime prevention

Data Center
Data Management