The latest COVID-19 variant has led to a 521% increase in phishing attacks using the virus as a lure to trick users into clicking, according to Barracuda Networks.

Cyber-criminals often use newsworthy events in their social engineering attacks, and COVID-19 provided a bumper opportunity when it emerged in 2020.

The security vendor observed a 667% month-on-month surge in COVID-19 phishing emails from February to March that year. It recorded another significant increase when new vaccines were released at the start of 2021.

Now public concern over the highly transmissible Omicron variant is catching the eye of phishers.

Among the tactics used to trick users into clicking on malicious links and/or entering personal details are offers of counterfeit or unauthorized COVID-19 tests and protective equipment such as masks or gloves.

Some impersonate testing labs and providers, or even employees sharing their results, said Barracuda.

In other phishing emails, the user may receive a fake notification for an unpaid order of tests and is urged to provide their PayPal details to complete delivery of the kit, the vendor claimed.

Barracuda Networks CTO, Fleming Shi, said the answer lies in improving employee phishing awareness training and plugging in advanced email security.

“Capitalizing on the chaos of the pandemic is not a new trend in the world of cybercrime. Yet with constantly evolving tactics, and new trends to latch on to, it’s easy to see why scammers are not giving up on this trick,” he added.

“Just like the threat of COVID-19, pandemic-themed scams are not going to disappear overnight, but fortunately, there are a number of tactics that businesses and consumers can employ to ensure they remain protected.”

In related news, a Comparitech study this week claimed that unscrupulous healthcare workers are enabling a massive black market in COVID-19 digital vaccination certificates and passes.

The researchers found dark web adverts looking for any such workers who empathize with the anti-vaxxers buying these passes.

“When someone buys a fraudulent certificate, they must first sign up for their country’s respective COVID vaccination database. They send their name, PIN number and other necessary info to the vendor,” Comparitech explained.

“A doctor or other healthcare worker marks that person’s record with confirmed vaccination. The buyer’s QR code then becomes valid. It takes just a few hours for the process to complete once a purchase is made.”

Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks.

The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today.

However, the malware soon spread globally, causing potentially billions of dollars of damage.

Many companies, including Merck and confectionary giant Mondelez, found their insurer refusing to pay because of an exclusion in their policy for “acts of war.”

However, a New Jersey superior court judge has now ruled that the language therein implies armed conflict rather than the cyber kind.

Although Merck was claiming under an “all-risk” property insurance policy, both these and more specific cyber policies often contain such exclusions.

However, the ruling may not be beneficial to other policyholders in the long run, as insurers are in general becoming much more prescriptive about coverage for cyber-incidents.

Lloyds of London last November released a new set of clauses that broadened act of war exclusions to “cyber-operations between states which are not excluded by the definition of war, cyber-war or cyber-operations which have a major detrimental impact on a state.”

Peter Groucutt, co-founder of Databarracks, said the new clauses would favor insurers going forward.

“Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber-warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or ‘takes an unreasonable length of time to.’ That seems to be a dangerous case of checking one’s own homework,” he argued.

“There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with ‘those acting on its behalf’ working as a catch-all for these kinds of relationships.”

Ultimately the “parameters for payout” are narrowing, shifting more emphasis onto organizations to improve baseline protections, Groucutt concluded.

United States President Joe Biden has signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks.

The requirements for federal civilian networks were laid out in Biden’s Executive Order 14028 (EO 14028) issued May 12 2021. The new memo, signed Wednesday, specifies how the provisions of EO 14028 apply to national security systems. 

The NSM establishes timelines and guidance for how cybersecurity requirements, including multi-factor authentication, encryption, cloud technologies and endpoint detection services, will be implemented.

It also requires agencies to identify their national security systems and report cyber incidents that occur on them to the National Security Agency (NSA). 

Commenting on this particular requirement of the NSM, Mark Manglicmot, vice president of security services at Arctic Wolf, said: “To defend something, you need to have an asset inventory to know what your most critical systems and data are. This directive mandates this best practice.”  

The NSM further authorizes the NSA to create Binding Operational Directives that require agencies to take specific actions against known or suspected cyber-threats and vulnerabilities. In addition, it requires the NSA and the Department of Homeland Security to share BODs and “learn from each other to determine if any of the requirements from one agency’s directive should be adopted by the other.” 

Under the new memo, agencies are required to secure tools known as cross-domain solutions that transfer data between classified and unclassified systems. 

In a statement released Wednesday, the White House said: Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems.”

James McQuiggan, security awareness advocate at KnowBe4, noted that the memo omitted any requirements around cybersecurity education or creating a security culture among users. 

He said: “When users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyber-attack.”

Managed infrastructure solutions company, 11:11 Systems, has acquired Texas-based cloud services provider, iland. 

The completion of the acquisition was announced on Thursday. The terms of the deal were not disclosed. 

Headquartered in Houston with regional offices in London and Sydney, iland delivers cloud services including Disaster-Recovery-as-a-Service (DRaaS), Infrastructure-as-a-Service (IaaS) and Backup-as-a-Service (BaaS) from its cloud regions throughout North America, Europe, Australia and Asia.

11:11 Systems said it intends to leverage iland’s award-winning Secure Cloud Console, which natively combines deep layered security, predictive analytics and compliance to deliver visibility and easy management for iland’s cloud services.

The deal follows 11:11 Systems’ recent acquisition of Green Cloud Defense, a channel-only, cloud Infrastructure-as-a-Service (IaaS) provider. 

“By adding iland’s steady 25% YOY momentum to 11:11 Systems’ expanding national network of MSPs, VARs and IT consultants, a hyper-growth pathway has been created,” said 11:11 Systems in a statement.

Brett Diamond, CEO of 11:11 Systems, said his company’s recent acquisitions were motivated by making cybersecurity more straightforward for its customers. 

“CIOs and IT leaders are being pushed to address increasing numbers of security threats, application vulnerabilities and network weaknesses that can leave organizations exposed to data breaches; at the same time, they are tasked with laying the right foundation within their infrastructure to embrace hybrid cloud, navigate sophisticated application requirements, artificial intelligence and more while data and devices continue to multiply exponentially,” said Diamond.

He added: “11:11 Systems is focused on significantly simplifying our customers’ approach to cloud, security and connectivity to drive greater security, innovation, and responsiveness and adding iland and Green Cloud as core ingredient platforms substantively advances this mission.”

For iland, the deal brings an opportunity for expansion and innovation, according to the company’s CTO, Justin Giardina. 

“Joining 11:11 Systems, which now includes Green Cloud, will open up the doors of innovation even wider with new opportunities to expand services across the iland platform, which will further enhance our customers’ ability to manage and monitor their hybrid environments,” said Giardina.

Cybersecurity researchers at Kaspersky have discovered a third known case of a firmware bootkit in the wild.

The kit, which made its first appearance in the wild in the spring of 2021, has been named MoonBounce. Researchers are confident that the campaign is the work of well-known Chinese-speaking advanced persistent threat (APT) actor APT41.

MoonBounce demonstrates a more complicated attack flow and greater technical sophistication than previously discovered bootkits LoJax and MosaicRegressor.

The malicious implant was found hiding inside the CORE_DXE component of the Unified Extensible Firmware Interface (UEFI) firmware. UEFI firmware is critical because its code is responsible for booting up a device and passing control to the software that loads the operating system (OS). 

Once MoonBounce’s components have made their way into the operating system, they reach out to a command & control server to retrieve further malicious payloads, which Kaspersky researchers could not retrieve.

The code to boot the device is stored in a non-volatile component external to the hard drive called the Serial Peripheral Interface (SPI) flash. 

Researchers said that Bootkits of this kind are extremely hard to detect because the code they target is located outside of the device’s hard drive in an area that most security solutions do not scan as standard. 

Firmware bootkits are also difficult to delete. They can’t be removed simply by reformatting a hard drive or reinstalling an OS because the code is launched before the operating system.

“The infection chain itself does not leave any traces on the hard drive, since its components operate in memory only, thus facilitating a fileless attack with a small footprint,” noted researchers. 

While investigating MoonBounce, researchers appeared to detect a link between the bootkit and Microcin malware used by the SixLittleMonkeys threat actor.

“While we can’t definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one another to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” said Denis Legezo, senior security researcher with GReAT (Kaspersky’s Global Research and Analysis Team).