When the threat landscape changed due to COVID-19 and pandemic-themed security threats surged, thousands of volunteers from around the world banded together to help address them.
The COVID-19 Cyber Threat Coalition, which today has around 4,000 volunteers, was started by Joshua Saxe, chief scientist at Sophos, back in March as a way for cybersecurity professionals to pitch in during the crisis. Though anyone can sign up for their Slack channel, active volunteers must go through a vetting process and there are varying levels of activity.
Through the help of those volunteers, the coalition publishes data sets with indicators they believe to be used by cybercriminals to prey on consumers, nonprofit organizations, enterprises and governments by using the COVID-19 pandemic as a lure. The group's network blocklist, which contains more than 26,000 malicious URLs, domains and hostnames, is available on the coalition's website. In addition to regularly updating the blocklist, the coalition also publishes weekly threat advisories that discuss various topics such as ransomware mitigation strategies and the latest Zoom security updates.
They also have a relationship with the Cyber Threat Alliance, an industry consortium that has multiple threat detection vendors, including Sophos and Palo Alto Networks. The blocklist is automatically shared through any member of the Cyber Threat Alliance as well.
"My thinking was that given our specialization, the best way we could help would not be directly, but rather by reducing the likelihood that individuals and organizations would suffer network breaches in addition to the medical and economic effects of the crisis," Saxe said. "Initializing the organization was easy. I started a Slack workspace and put a call out on Twitter for folks to join. Getting a real, functioning organization up and running, as thousands of volunteers joined the cause, was the greater challenge."
Nick Espinosa, founder of infosec consultancy Security Fanatics, saw the Slack post two days later and has been an active volunteer and spokesperson for the coalition ever since.
"What makes us unique is there's a lot of cybersecurity groups out there, but they are always a cybersecurity company. Whereas now we have every vertical: financial, healthcare, clothing lines -- their cybersecurity experts are joining us, so it's been an interesting perspective," Espinosa said.
The coalition created the blocklist with the goal of helping hospitals and other critical infrastructure defend against COVID-19 security threats, Espinosa said, though any organization can take advantage of the group's threat intelligence.
"Nobody wants to see a hospital go down and people's lives put at risk because they got ransomed," Espinosa said. "When the coronavirus hit, we were seeing an explosion in COVID-19 and coronavirus domains that are being spun up, which is what we are identifying as fast as we can and putting it out there."
At one point, the coalition saw over 5,000 domain names being registered a day. They also received roughly one hundred million indicators of compromise daily, Espinosa said.
"We are getting a fire hose of information and threat intelligence that we are sifting through to specifically identity coronavirus/COVID-19 threats," Espinosa said. "Interestingly enough, a lot of the tactics threat actors are using are basically the same. Same old tactics, same types of ransomware, all of that -- it's just that they painted the house a different color and that happens to be coronavirus."
Though the tactics remained the same, Espinosa did observe a shift in attack lures.
"Initially in the pandemic, you're seeing 'click for WHO guidelines or download this tracking app'. Now, it's shifted to 'buy masks from us.' It's a real problem because a lot of people don't realize. It's getting more and more sophisticated and we know there will be state-sponsored attackers as well that are going to be in here," Espinosa said.
The surge in phishing attacks using pandemic-related misinformation in the hopes of gaining access to credentials and other personal information or to deploy malware was observed by many security vendors, including Kaspersky Lab and CrowdStrike.
And according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, the total volume of phishing emails and other security threats relating to the COVID-19 coronavirus now represents the largest coalescing of cyberattack types around a single theme that has been seen in a long time, and possibly ever.
"Criminals have sent waves of emails that have ranged from a dozen to over 200,000 at a time, and the number of campaigns is trending upward. Initially, we were seeing about one campaign a day worldwide; we're now observing three to four a day. This increase underscores just how appealing global news can be for cybercriminals," DeGrippo told SearchSecurity.
To keep up with the insurgence of threats, the coalition relies not only on the thousands of volunteers to collect and analyze the data but also a variety of sponsors to help in gathering and getting information out as soon as possible. In addition, Espinosa said, the coalition received about $100,000 a month in free tools and platforms donated by various vendors.
"We rely heavily on donated software-as-a-service licenses. For example, we use donated tools from Atlassian, Microsoft, Slack, Cloudflare, Protonmail, ThreatConnect, OTX and other organizations to conduct our operations," Saxe said.
Saxe also said that the volunteers' employers have been gracious in terms of allowing their staff members to spend some work hours participating in the collation, which he said is to the "mutual benefit" of the coalition, the employers and the general public. The steering committee, which is made up of 25 volunteers, including Espinosa and Saxe, has discussed what will happen once the pandemic ends and its effect on the threat landscape fades away.
Espinosa said that while the coalition is "definitely a temporary organization," the group for now wants to deliver its threat intelligence with as many organizations as possible. "There's no reason for us to be around [after the pandemic]," he said, "but the intelligence that we do have, we want to share with the world."