Joint alert issued on exploitation of COVID-19 by malicious cyber actors
A joint alert was issued yesterday from the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre regarding exploitation of the novel coronavirus by malicious cyber actors.
Since the onset of the COVID-19 pandemic, there has been a surge in cyberattacks against individuals and organizations of all sizes. This is further complicated by the surge in telecommuting, which increases the threat to such individuals and organizations. The alert describes confirmed exploitation by cybercriminals and advanced persistent threat groups of the ongoing COVID-19 pandemic. It also includes a non-exhaustive list of indicators of compromise for detection and guidance regarding mitigating threats.
Overview of Recent Attacks
APT groups and threat actors often mask their identity to appear as trusted entities. Most recently, such groups are using COVID-19-themed phishing messages or malicious applications to commit espionage and “hack-and-leak” operations. According to the joint alert, the threats observed include:
- Phishing, using the subject of coronavirus or COVID-19 as a lure.
- Malware distribution, using coronavirus- or COVID-19-themed lures.
- Registration of new domain names containing wording related to coronavirus or COVID-19.
- Attacks against newly deployed remote access and telecommuting infrastructure.
Threat actors carry out these attacks by preying on the recipient’s curiosity and concern around the COVID-19 pandemic in order to entice them to click on a link or download an application that may lead to a phishing website or the downloading of malware, including ransomware, or to open a malicious file. Threat actors often use financial themes to carry out their attack and it is anticipated that they will use the new COVID-19 government aid packages as phishing campaign themes.
The goal of a phishing attack is often to steal user credentials. When the recipient clicks on a link, he or she is directed to a spoofed login page in an attempt to get the recipient to hand over their username and password. The spoofed pages may relate to a variety of online services, including bank accounts, e-mail provided by Google or Microsoft, or services accessed. During the COVID-19 period, CISA and NCSC have noted that the websites will often contain COVID-19-related information within the URL, such as “corona-virus-business-update,” “covid19-advisory,” or “cov19esupport”.
To give the appearance of credibility, threat actors often spoof e-mail sender information to make it appear to come from a trustworthy source in order to get the recipient to click on a link. The examples used in the joint alert were e-mails that appeared to come from the World Health Organization, an individual with “Dr.” in his or her title, or from an organization’s human resources department with an instruction to the employee to open an attachment. According to the alert, file attachments from threat actors are often named with COVID-19-themes, such as “President discusses budget savings due to coronavirus with Cabinet.rtf” and contain malware payloads.
Examples of phishing e-mail subject lines identified in the alert include:
- 2020 Coronavirus Updates.
- Coronavirus Updates.
- 2019-nCov: New confirmed cases in your City.
- 2019-nCov: Coronavirus outbreak in your city (Emergency)
Although most phishing attacks are launched via e-mail, the NCSC has observed a significant uptick in text message, or SMS, phishing attacks in relation to COVID-19. “Historically, SMS phishing has often used financial incentives—including government payments and rebates (such as a tax rebate)—as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments’ employment and financial support packages.” In addition to SMS, messaging applications such as WhatsApp are on the rise.
Exploitation of new telecommuting infrastructure
In response to shelter-in-place orders, many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to enable their workforce to work remotely from home. Threat actors are taking advantage of this massive transition by exploiting VPNs and other remote working tools. “CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix, Pulse Secure, Fortinet, and Palo Alto.
Threat actors are also exploiting the increased use of popular group communication platforms, such as Zoom or Microsoft Teams. There are two common forms of these types of attacks. In the first, a phishing e-mail is sent to entice recipients to click on a malicious files “with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# representing various digits that have been reported online). The second form involves threat actors actually hijacking teleconferences and online classrooms that have been set up without proper security controls or with unpatched versions of the teleconference software.
Finally, there has been a noted surge in the use of Microsoft’s Remote Desktop Protocol. Threat actors are gaining access through unsecured RDP endpoints. According to the alert, recent analysis has identified a 127% increase in exposed RDP endpoints, which could make IT systems more vulnerable to attacks.
Mitigation and Guidance
The NCSC has prepared suspicious e-mail guidance for individuals that explains what to do if you have clicked on a potentially malicious e-mail, attachment, or link. It also offers tips on how to identify a phishing e-mail:
- Authority – Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)?
- Urgency – Are you told you have a limited time to respond (e.g., in 24 hours or immediately)?
- Emotion – Does the message make you panic, fearful, hopeful, or curious?
- Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)?
There is also guidance for organizations and cybersecurity professionals. The NCSC recommends educating users on how to defend and prevent an attack and offers, mitigation advice.
Finally, the joint alert provides tips from the FBI for defending against online meeting hijacking:
- Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screensharing options. Change screensharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications.
- Ensure telework policies address requirements for physical and information security.
To read the joint alert, please click here.
Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to prevent unauthorized access, keeping in mind the emphasis in the joint alert that “this is a fast-moving situation.” In the event of a security incident, it is important to promptly investigate and respond to the incident. Depending on the information accessed, there may be reporting obligations to individuals who are the subject of any information accessed by threat actors, to individuals or entities with a contractual relationship with the individual or organization whose information was accessed, or to state or federal agencies. Legal counsel and third-party cybersecurity forensics firms should be consulted as needed.
If you have any questions, please reach out to one of the lawyers below: