Globally, the COVID-19 pandemic has caused widespread business disruptions, particularly due to business continuity via remote working. This makes organisations more vulnerable to rising cyberattacks. Based on the pattern of attacks across a wide cross-section of Indian organisations, using data collected via logs and various other sensors, PwC’s Cyber Security team analysed the cyberattacks on Indian entities in the last few weeks.
Commenting on the rise in cyberattacks post the spread of the COVID-19, Siddharth Vishwanath, Leader – Cyber Security, PwC India said, “With significant shifts to work from home or off-location operations, organisations are more focused on continuity of day-to-day operations than on plugging the gaps in the remote infrastructure. Hackers, who realise this, do not want to leave any stone unturned to harness the moment. PwC’s threat analysis validates this as the cyberattacks in the backdrop of the COVID-19 have seen a sudden spike. Organisations are required to work on fixing the gaps in their remote infrastructure and provide secure remote access to employees and other stakeholders.”
The analysis shows a significant rise in cyber incidents as hackers exploit the COVID-19 crisis. The PwC report summarises the timeline and varied threat scenarios being used in exploiting the vulnerability of organisations.
Timeline of cyberattacks exploiting the COVID-19 crisis
In January, coronavirus-themed malspam emails distributed malware and Trojans, especially the Emotet banking Trojan. In February, phishing emails masked as communiqués from the Centres for Disease Control and Prevention stole email credentials while COVID-19-themed phishing emails targeted manufacturing, finance, transportation, pharmaceutical and cosmetic industries. North Korea’s BabyShark malware spread via a document disguised as South Korea’s response to COVID-19. Also, spam emails purportedly from the Centre for Public Health of the Ministry of Health, Ukraine, delivered a lure document containing COVID-19’s latest news but, in reality, dropped a C# backdoor.
In March, spam emails camouflaged as coronavirus precautions targeted Italian email addresses, delivering a weaponised Word document embedded with a VBA script that dropped a new TrickBot variant. Meanwhile, cybercriminals exploited users’ need for COVID-19 data via an online application cloaked as an interactive map showing coronavirus’ spread globally. A new ransomware strain (dubbed CovidLock) was disguised and distributed as a coronavirus tracking app.
As the COVID-19 outbreak reached India, cyberattacks on Indian companies doubled between January and March 2020. February saw a sudden spike, most focused on exploiting vulnerable services and obtaining easy access to remote desktops. There were untargeted phishing campaigns too wherein attackers impersonated personnel from various agencies battling COVID-19. After two primary sustained waves in February, attack volumes fell to a median level.
Volume of attacks experienced
After 15 March, when India witnessed rising COVID-19 cases, a massive wave of attacks targeted many Indian companies. Many witnessed a 100% increase in attacks between 17 and 20 February.
The remote work infrastructure is being heavily targeted, along with identity theft and malicious payload delivery. As organisations work speedily in establishing VPN (virtual private network) so their employees can work remotely, cyber crooks are exploiting weak authentication mechanisms through widespread phishing campaigns.
There has been a global spike in phishing emails since February, exploiting anxiety related to COVID-19. Most attacks were untargeted, meant to trap myriad users within the least possible time. Incidents detected by endpoint detection and response (EDR) systems across many organisations rose steadily.
Safeguarding continuity of business operations
Given the current threat landscape, companies utilising remote working policies need to deploy robust preventive and detective technical measures. PwC recommends the following measures:
Protection
- Utilise only secure access mechanisms for remote access – SSL VPN, secure remote desktop protocol (RDP) gateway, thin client access, etc.
- Implement strong password policies and two-factor authentication for all remote access, including for administrative purposes.
- Evaluate any exceptions to password policies, policy bypass and non-standard access.
- Review bring your own device (BYOD) policies and enforce compliance around patches, malware signatures and BYOD gadgets.
- Use geo-restrictions and login velocity restrictions, if possible.
- Prevent multiple sessions and reuse of tokens wherever possible.
- Enforce privilege identity management solutions for remote administrative access.
Detection and response
- Implement specific monitoring rules to detect attacks on remote access infrastructure.
- Utilise specific threat intelligence to detect cyber crooks targeting COVID-19 and related themes.
- Use EDR solutions, antivirus or authentication policies to isolate infected or compromised endpoint.
- Enable response teams to securely access compromised devices for analysis and eradication.
- Identify mechanisms to re-flash operating systems where eradication is not possible.
In the long term, organisations should focus on:
- Developing a robust business continuity plan (BCP).
- Creating strategies and the required infrastructure for implementing secure remote access.
- Training technology staff and crisis management teams to enable smooth functioning of the BCP.
- Conducting table-top drills and testing of crisis management plans.
- Communicating with various business teams and enabling them to continue their functions securely.