COVID-19 Cyber Threats: Hackers Target DNS Routers, Remote Work

March 27, 2020 - Europol released a report showing how hackers are profiting off of the COVID-19 pandemic, warning hackers are shifting attacks to remote workers and the healthcare sector. Meanwhile, researchers have discovered a rapid increase in registered phishing websites and DNS hijacking attacks.

According to the Europol report, cybercriminals are adapting their attack methods and engaging in new activities in response to the high demand for certain medical supplies related to the pandemic, the decreased mobility of individuals, the increase in telework, and the anxiety and fear that could increase the risk of exploitation to individuals.

Specifically, cybercriminals are using the Coronavirus to launch social engineering attacks, while targeting the increase in remote work. The threat surface has increased as a greater number of employees and vendors are remotely accessing enterprise networks.

For example, “the Czech Republic reported a cyberattack on Brno University Hospital which forced the hospital to shut down its entire IT network, postpone urgent surgical interventions and re-route new acute patients to a nearby hospital.”

There has also been an increase in fraud attempts as hackers target fears and anxieties stemming from the pandemic. The data mirrors recent warnings from the FBI, the Department of Justice, and the Department of Health and Human Services Office of the Inspector General.

READ MORE: Microsoft Warns Hackers Targeting Unpatched RCE Windows Flaws

“While many people are committed to fighting this crisis and helping victims, there are also criminals  who have been quick to seize the opportunities to exploit the crisis,” Europol’s Executive Director Catherine De Bolle, said in a statement.

“This is unacceptable: such criminal activities during a public health crisis are particularly threatening and can carry real risks to human lives,” she added. “That is why it is relevant more than ever to reinforce the fight against crime.”

Bitdefender recently published its own research around DNS hijacking attacks targeting home routers. Hackers are scanning the internet for vulnerable routers. The new attack methods started on March 18th, with a peak in activity on March 23rd.

The primary target is Linksys routers through brute-force attacks with remote management credentials and then changing their DNS IP settings.

“DNS settings are very important, as they work like a phone book. Whenever users type in the name of a website, DNS services can send them to the corresponding IP address that serves that particular domain name,” researchers wrote.

READ MORE: Can Multi-Factor Authentication Help Healthcare’s Security Posture?

“In a nutshell, DNS works pretty much like your smartphones agenda: whenever you want to call someone you just look up their name instead of having to memorize their phone number,” they added. “Once attackers change the DNS IP addresses, they can resolve any request and redirect users to webpages that attackers control, without anyone being the wiser.”

The report also showed cybercriminals are posing as the World Health Organization COVID-19 app to install the Oski infostealer final payload. The cyberattack stores malicious payloads through BitBucket, a popular web-based repository hosting service and leverage TinyURL, a URL-shortening web service, to hide the link to the Bitbucket payload: a measure designed to hide the attack from the victim.

Successful exploits hijack routers and alters their DNS IP addresses, redirecting users to a specific list of webpages and domains to a malicious Coronavirus-themed webpage. Some redirected, targeted domains include: aws.amazon.com; goo.gl; bit.ly; washington.edu; imageshack.us; ufl.edu; and disney.com, among others.

“COVID-19 is a recurring theme that cybercriminals have been abusing to trap victims,” researchers wrote. “Malicious reports involving coronavirus-themed malware have increased five-fold in March from February, with attackers using phishing scams that exploit Coronavirus misinformation and fear regarding medical supply shortage.”

“By changing the DNS settings on the router, users would actually believe they’ve landed on a legitimate webpage, except that it’s served from a different IP address,” they added.

READ MORE: Hackers Target WHO, COVID-19 Research Firm with Cyberattacks

So far, the attack has claimed about 1,193 victims. Bitdefender researchers have found four Bitbucket repositories, which means the number of victims could be a lot higher, “as Bitbucket has already taken down the other two repositories, preventing us from having a complete picture of the number of victims.”

The number of victims is expected to increase in coming weeks, as the Coronavirus remains a popular topic.

Lastly, new research from Atlas VPN showed Google saw a 350 percent increase in phishing websites amid the Coronavirus pandemic for the last three months. In January, there were a total of 149,195 active phishing sites, which jumped 50 percent to 293,235 phishing sites in February.

By March, the number has reached a total of 522,495 registered phishing sites. And researchers found there are more than 300,000 suspicious coronavirus-themed websites.

To reduce the risk posed by these new efforts, the Office for Civil Rights recently shared COVID-19 cyber scam advice shared by the Department of Homeland Security.