Cyberattack plans on the dark web

By now, the security issues associated with working remotely have become a lot clearer than at the start of the many lockdowns across the world to counter the coronavirus pandemic.

Passwords to Zoom video calls are changed regularly for users who are aware of the dangers of uninvited guests turning up to their daily corporate meetings or classroom lessons. Facing pressure from users who range from students to government officials, the video call company Zoom Video Communications has also beefed up security to counter some of these issues.

Yet, the threat is far from being diminished. For an idea of what may be coming into the picture in the weeks and months ahead, one place to look for clues is the dark web.

From hoaxes to ransomware and from phishing e-mails to fake mobile apps, hackers are targeting the millions of people now working from home and connecting digitally with colleagues over the Net. The dark web offers a glimpse of this criminal activity, with malware toolkits easily available to any criminal to use to collect ransomware or simply to spread fake information. Also available are thousands of stolen Zoom passwords.

In the digital underground, there has been a clear increase in chatter concerning the vulnerabilities and exploits that hackers can use to take control of videoconferencing and other collaboration tools. The reason is simple – more people are using them, with as a third of the world’s population stuck at home to reduce the spread of the coronavirus.

In a recent investigation into the deep and dark web forums, IntSights came across a cybercriminal who shared several databases containing thousands of Zoom credentials. Besides personal ones, the accounts also belonged to banks, consultancy companies, schools, hospitals and software vendors. Even meetings IDs, names and host keys could be found in some instances.

How did these hackers get access to such information? Again, the dark web and forum provide some answers, as hackers and cybercriminals discuss possible strategies to penetrate cyber defenses.

One way is to turn to credential stuffing. This strategy calls for testing usernames and passwords against a website or application to gain access to accounts. Of course, you first have to know if a certain account exists. To do this, hackers on the dark web have discussed creating a configuration file for a well-known open-source tool called OpenBullet. In the past, similar configuration files made to target Ring led to thousands of credentials being leaked online, potentially compromising many security cameras to cyber intruders.

To be sure, there are ways to mitigate the threat of credential stuffing, for example, by enabling two-factor authentication or cutting down the number of login attempts from a certain IP address. However, the threat to videoconferencing tools is just one of several security challenges facing anyone who is turning to digital tools to continue working during this difficult time.

Seizing on an unprecedented opportunity, cybercriminals have targeted the most popular platforms needed today, such as e-mail, messaging, virtual private networking (VPN) and home networks. While many rely on traditional toolkits, such as phishing e-mails, to reel in victims, the difference is that they can exploit the fear and uncertainty that millions face in a time of crisis.

From IntSights’ investigations, cybercriminals have turned to e-mails that impersonate official departments and prey on the need for information during a fast-changing situation. One claims to be from the Department of Homeland Security and redirects victims to a malware download address. A piece of malware then installs on the victim’s device to steal more information. Yet another piece of malware impersonates the well-shared Johns Hopkins coronavirus outbreak map, by pulling real-time data from the legitimate site. Called AZORult, this is sold by a Russian underground vendor and is a Java-based application that seeks to steal a victim’s credentials. The malware kit is sold on the dark web for about US$200 and comes with a map that is hosted at

Unfortunately, that is just the tip of the iceberg when it comes to cyber threats that have been developed to specifically target victims during this crisis. Frauds and hoaxes are abundant now on the deep and dark web markets. Some are touting rapid test kits to detect the coronavirus, including one shaped like a temperature reader.

Once again exploiting public fear, they are taking advantage of the lack with coronavirus testing in some places, especially in countries like the United States. In all likelihood, however, these “products” are in no way real, and buyers would be scammed out of their money. The fraudulent enterprises extend to fake mobile apps as well. Tapping on the public thirst for information, many fake mobile apps have sprung up in app stores that IntSights has tracked. These include the simply named app, called CoronaVirus Live, for example. While some of these fake apps are benign, others are ransomware, trojans and spyware.

Though the main targets of hackers are the easy-to-reach remote worker, some of them have aimed at organizations most needed by the public now. In their crosshairs are the World Health Organization (WHO), hospitals and even companies developing vaccines. Indeed, the WHO has stated that it has faced more than twice as many cyberattacks since the pandemic began. One recent campaign is thought by researchers to be mounted by an elite hacking group called DarkHotel. It registered a fake WHO email website and went live on March 13th, after several failed attempts to steal employee credentials.

Many threats can be reduced by basic cyber hygiene, for example, by using the provided security tools and to avoid using corporate credentials for private business. However, more has to be done. With the heightened threat today, especially to remote workers, it is imperative that organizations update their risk assessment.

IntSights recommends the following steps:

  • Closely monitor collaboration and remote working tools
  • Strictly enforce the use of VPNs, encryption, and endpoint security
  • Enforce strong password policy and 2FA
  • Educate end users on the new threat landscape