Blog COVID-19 Intelligence Briefing: Adversary Attack Patterns & Knock-On Effects

COVID-19 Intelligence Briefing: Adversary Attack Patterns & Knock-On Effects

TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding the COVID-19 pandemic. This briefing is part of a larger COVID-19 OSINT Project to track and share vetted observables related to COVID-19 phishing and malware exploits. You can request access to this OSINT Community here.

Below, we have edited and condensed parts of the panel Q&A. To view the full webinar and hear more about the latest intelligence surrounding COVID-19, click here.

COVID-19 Attack Patterns

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

IBM X-Force IRIS has been tracking COVID-19 exploits for almost two months and you've been on the front lines of watching these threats evolve. How have they evolved, what's changed, and where did it start? What are some of the knock-on effects you’re seeing?

Nick Rossman, Research & Operations Lead, IBM X-Force IRIS Intelligence:

From working with the broader team at IBM and our telemetry, we’re seeing change in the phishing wars and the vectors attackers are using. Bad actors typically try to use holidays or other big events that might spur something on, which only focuses on a small portion of the internet. However, with a global pandemic like this, everyone is attuned to it. Every individual consumer and business is sending out information about COVID-19 and how to be prepared.

Bad actors are flooding inboxes with spear phishing about COVID-19, because it increases the likelihood that things will get clicked. We've seen a steady rise in the amount of spam that has gone out, but also now, the follow-on malware attached to it. On the targeted industry front, it's really been a spray and pray method, but now they can spray and pray to a lot more people who are interested in information about COVID-19.

As we start to look outward to other knock-on effects, large industries have been targeted in the past that are being immediately hit by economic factors. Hospitality, transportation, healthcare, etc. So I think we're going to start to see the widening of the aperture to some of these other company types that, frankly, might not have the same security investment they did, literally, three months ago, because their operating model has changed. To me, that is a concern as I start to look forward on what adversaries are going to do next.

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

Maurits, how are you viewing this? Is this really just a messaging spin, or are we seeing evolutions in technology and tooling from the bad guys?

Maurits Lucas, Director of Intelligence, Intel471:

A lot of the actors are engaged in trying to get people to click or enter sensitive information. It's to be expected that they're going to latch onto COVID-19 since the public is thirsty for any information about what's happening with it.

We’re also seeing COVID-19-themed phishing kits, so instead of having to build your own, now here's someone who says, "Why don't you use this? We've got it all set up for you. Just press play.".

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

Is it really only about the total addressable market? Because this truly is a global pandemic, is that what separates this from the typical IRS tax-themed phishing scams that we would be seeing, certainly in the U.S. around this time of year?

Maurits Lucas, Director of Intelligence, Intel471:

No, it's the entire scale and size of the thing, it's all over the world, it's a pandemic, it seems to have also managed to bring the entire economy to a halt. Record numbers of people are suddenly applying for social security and other government programs. Normally any one of these things would be enough for a hacker to use but this is many different facets, drawing from the pandemic, self-isolation, where do I find the next packet of toilet paper, to registering for social services, try to work from home, etc.

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

Adrian, BAE works across the government and private sectors, globally. How have COVID-19 exploits evolved as you all and your team have been watching this in the last few weeks?

Adrian Nish, Threat Intelligence Lead, BAE Systems:

As Maurits mentioned, a lot of attackers are jumping on the bandwagon of using COVID-19 as part of phishing campaigns across the spectrum. That's everything from nation state groups who are tracking through to common criminals who have fairly low skills but know there's an opportunity here.

Our customers in government are most concerned with threats to critical infrastructure, particularly healthcare. A lot of the questions we're getting from government customers are,how do we improve cyber resilience so that there's no further knock-on effects against those organizations.

For more information, be on the lookout for our follow-up blog which tackles the knock-on effects that the pandemic is having in relation to threat intel.

To watch the webinar in its entirety, click here. For more information on joining the COVID-19 OSINT Community, click here.

Intelligence Sharing in the Time of COVID-19 Over the past few months, the world of information sharing has started to come together with security integration and automation. First, the ... Read More
COVID-19 Intelligence Briefing: What Happens Next? TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding ... Read More
OSINT Threat Report: Nemty, the New Ransomware on the Block - Week of September 16 Welcome to our OSINT Threat Report, a weekly digest of trending threats reported by TruSTAR platform users. Related posts here. Read More