Friday 20th March 2020

BLOG – Beyond phishing – Coronavirus’ wider impact on the threat landscape

Over the past week, you may have seen multiple articles warning of cybercriminals opportunistically exploiting the coronavirus pandemic through spam emails claiming to have information on the virus or important hygiene measures. While this is true, it is only part of a wider picture.

Phishing and malware campaigns using the virus as a lure were the first examples of malicious cyber activity in response to the crisis. Yet, as we assessed in a previous blog post in relation to the Black Friday sales, cybercriminals are often quick to exploit interest in seasonal events, trending news stories and current affairs. Coronavirus, however, is unprecedented in its sheer scale and economic impact. We accordingly anticipate it will have a more long-term impact on the threat landscape, which we assess below. At the end, we provide recommendations for mitigating this evolving threat.

Shifts in sector targeting

One of the longer-term shifts is likely to be to the most targeted industries. Focus is likely to shift to sectors that are under greater pressure than before or which the public, confined to their homes, are more reliant on. Such targeting has already begun, with reports of a DDoS attack against a food delivery company in Germany. Meanwhile, we anticipate that the Magecart technique, which entails injecting malicious code into e-commerce websites to steal customer payment card data, will become increasingly common as more people rely on online deliveries. Conversely, use of point-of-sale (POS) malware is likely to decline as fewer people shop in person.

Increasing pressure on the healthcare sector may make it a particularly alluring target, more so than it already is. Overworked staff are more likely to open a malicious attachment or click on a link before carefully considering the email’s origins, which is likely why there has been an uptick in phishing attempts against the sector. Ransomware operators, who already show a marked interest in the healthcare sector, might also seek to take advantage of the situation as victim would be under greater pressure than ever before to restore their systems’ availability, even if this meant paying the ransom.

Some ransomware operators, such as those behind the Maze variant, have claimed they will avoid targeting healthcare services for the duration of the pandemic. This ostensible display of ethics extends to cybercriminals more generally, as the discussion from a deep web forum shown below illustrates.

A cybercriminal forum user expresses distaste at others exploiting the situation

Despite this avowed ethical stance, operators are more likely to avoid targeting certain sectors out of pragmatism. For example, while a struggling, understaffed organisation might seem like an ideal target, there is little point demanding a ransom from it if it faces the prospect of bankruptcy and has no way of paying, which will be increasingly common over the course of the pandemic.

Working From Home

In addition to shifts in the importance of various sectors, targeting might also be informed by the fact that many employees are now working from home. This includes members of Orpheus, which is partly what prompted us to write up this blog, reflecting on our own experiences and how our efforts to ensure secure working practices from home are just as relevant to other organisations. 

Employees working from home provides ample opportunity for threat actors precisely because security standards here are likely to be lower. For example, home wi-fi networks are more likely to use weak or default credentials. Instead of official channels, an employee may opt to send potentially sensitive documents via less secure means. They also may use or download applications which would not be approved in the corporate network and may carry malware with them, such as torrented software.

Discussions on deep web forums regarding wi-fi vulnerabilities are already common and are likely to become more so as working from home becomes the norm for many

All of this presents opportunities for threat actors, who will likely seek to exploit their targets’ temporarily weaker security posture. We also anticipate there will be an uptick in attempts to identify and exploit vulnerabilities in VPN and other remote working tools. The past year has seen the discovery of numerous VPN vulnerabilities, including CVE-2019-11510 in Pulse Connect Secure VPN. Iranian state actors have already proven themselves responsive to these vulnerabilities and we assess this responsiveness will extend to cybercriminals as VPN software becomes increasingly popular.

Physical Security & Staffing

As a result of employees working from home or being off work due to sickness, coronavirus also means that many businesses will be understaffed. Threat actors can take advantage of this disruption, as patching cycles for software vulnerabilities will be likely be slower and more haphazard. Organisations’ SOCs may also not be fully operational, limiting their ability to respond to incidents.

Security teams are not the only parts of businesses facing disruption though, as so will accounts departments, with BEC (Business Email Compromise) scammers taking advantage of disruptions to standard operating procedures, enabling them to more easily authorise fake payments than they would otherwise.

In certain sectors, organisations will not just be understaffed but entirely non-operational, as the pandemic effectively makes it impossible to run business as usual. Such is true for bars, clubs, cinemas and other places of mass gatherings. In these situations, ransomware operators, especially those like the Maze group who are keen to present themselves as ethical, may establish a foothold on victims’ networks and wait until business resumes to execute their payload.  Again, however, we anticipate that ransomware groups are less likely to target businesses that are potentially facing bankruptcy due to their inability to pay ransoms.

Alternatively, if a cybercriminal’s aim is information theft, now would be a perfect opportunity to do so with relatively few impediments to their movements due to shortages or a lack of staff.


As this shows, coronavirus’ impact on the threat landscape is much broader than just topical phishing attempts. In the longer term, the impact will be felt in terms of which sectors are targeted, the increased targeting of home networks and the effects of understaffing or businesses temporarily closing altogether. In light of this, we would like to offer four security recommendations which can help mitigate these evolving threats:

1. Ensure that staff working remotely are aware of the importance of good cyber hygiene, including protecting home wi-fi networks. Provide advice and guidance on this where required.

2. Fraud attempts are likely to escalate in this period due to disruptions to standard operating procedures in financial departments, so make sure that robust policies for payment initiation / processing are in place, and that they are being followed. Encourage staff to take practical steps to verify the identity of individuals where this is in doubt.

3. As much as it is possible, ensure that patching is done promptly and regularly, especially in relation to potential vulnerabilities in VPN and other remote working software.

4. While the aim of this blog piece was to highlight longer-term implications that other articles may not have considered, it is still important to be vigilant with regards to spam posing as coronavirus advice.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.