On Friday, April 10, 2020, the Department of Homeland Security, the Cybersecurity and Infrastructure Agency and the United Kingdom’s National Cyber Security Centre (NCSC) (jointly, the Agencies) issued a joint statement regarding the growing prevalence of COVID-19-related cyberattacks. The alert focuses on advanced persistent threat (APT) groups and other cybercriminals that are targeting organizations with COVID-19-themed attacks, taking advantage of the surge in teleworking, which has increased the use of potentially vulnerable systems, including virtual private networks (VPNs).
The cybercriminals are leveraging the current pandemic to prey on the curiosity and concern surrounding COVID-19. They are using a variety of techniques, all of which lure individuals into clicking on a link or an attachment that promises important information regarding the current pandemic, be it about financial relief or a potential health threat the individual may have been exposed to. Below is a summary of some of the ways these cybercriminals reach out to individuals, as well as steps individuals and companies can take to help protect themselves from falling victim to these attacks.
The Agencies have observed a large number of phishing campaigns that prey on people’s fears about and interest in COVID-19. Specifically, the Agencies report seeing phishing emails with the following subject lines:
- 2020 Coronavirus Update.
- Coronavirus Updates.
- 2019-nCov: New confirmed cases in your city.
- 2019-nCov: Coronavirus outbreak in your city (Emergency).
Other phishing emails spoof trustworthy sources such as the World Health Organization (WHO) or the user’s human resources department. These emails contain instructions for the reader to act, often by encouraging the reader to visit a website set up by the cybercriminals to steal data, including usernames, passwords, credit card information and other personal information. In addition to spoofing a trusted source, the cybercriminal may also compromise the source and use the source’s legitimate email to communicate with other individuals and entities to further the scam.
What You Can Do
The final line of defense against these attacks is companies and their workforce staying alert for suspicious emails or unsolicited emails from a trusted source. When in doubt, recipients of emails that seem off or not expected should be sure to ask the sender – via another form of communication, such as telephone or text message – whether the email is legitimate. NCSC offers these tips for spotting a phishing email:
Authority – Is the sender claiming to be someone official, such as a doctor or a lawyer, imploring you to take a particular action or read a particular attachment?
Urgency – Phishing emails often threaten repercussions for not responding within a certain time period.
Emotion – Phishing emails often employ threatening language, make false claims, or use other language that plays on a person’s fear, hope or curiosity.
Scarcity – Be wary of unsolicited emails offering something in short supply, such as personal protective equipment (PPE) or other medical equipment.
If the email is from a trusted source but was not expected, pick up the phone and call the person before clicking on any links or attachments. Asking for confirmation by email is not always the best way to confirm legitimacy, since the attacker may have compromised the sender’s email account and still may be in the email account, responding that the email is legitimate and safe.
In addition to traditional email phishing, the Agencies have observed an increase in phishing through text messages. These phishing messages are often financial in theme, highlighting the economic impact of the pandemic and the government’s financial support packages. They often contain links to websites that harvest sensitive personal information, such as usernames and passwords as well as financial information. While the Agencies have primarily seen text messaging and email as the prominent means of phishing, the Agencies remind people to remain vigilant to other messaging services, such as WhatsApp, and any messages with financial themes that appear to be related to COVID-19.
What You Can Do
Just like with email phishing vigilance, it is important to look at the urgency of the message, if it is coming from an authority figure imploring action, or if it is promising items that are in short supply. Additionally, pay close attention to the sender of the text message; if it is unsolicited or from an unknown organization or person, it is best not to click on a link or provide further information.
The Agencies report seeing a number of COVID-19 lures that persuade someone to open an attachment to an email or download a malicious file from a linked website, which then executes malware compromising the device. One such tactic leverages “Agent Tesla” keylogger malware in an email that appears to come from the director general of WHO. Another example cited in the statement points to a campaign that offers thermometers and face masks, exploiting the shortage of PPE, which actually downloads “Agent Tesla” onto the system when the user views images of the offered PPE. Other emails contain attachments or links that load “GraceWire” or “TrickBot,” which often download further malicious files, such as remote access trojans, desktop sharing clients and ransomware.
What You Can Do to Protect Yourself and Your Organization
As with phishing emails, users must remain vigilant as to the sender of the message, whether it is something they expected to receive, and whether there are any anomalies about the message, such as misspellings, a different sender name or a message that was not expected. Users should be wary of opening emails from organizations with information related to COVID-19, especially if it is not an organization from which the user typically receives such correspondence, such as the WHO or state health department.
Exploitation of Teleworking Infrastructure
Many organizations worked quickly to set up teleworking networks to allow their workforce to continue working remotely. For many companies, it was a huge undertaking to move so many people to remote work capabilities on an expedited timeline. Cybercriminals are taking advantage of this as well as publicly known vulnerabilities in VPNs and other remote working tools and software, including Citrix, Pulse Secure, Fortinet, Microsoft Remote Desktop Protocol and Palo Alto.
What You Can Do
The guidance includes links to various agencies’ reports on the vulnerabilities within these systems being exploited, along with mitigation recommendations. Importantly, all the mitigation recommendations focus on applying the patches pushed out by the vendor and performing all network updates. For organizations that quickly took action to stand up the remote workplace, it is important that those organizations review all security controls, available patches and updates, and endpoint protection to ensure they are up to date and as secure as possible to prevent exploitation of any vulnerabilities.
Additionally, the Agencies report on the exploitation of popular communications platforms, such as Zoom, which has been covered extensively in the news recently. In addition to the “hijacking” of teleconferences and online classrooms that do not take advantage of offered security controls such as passwords or that are using outdated versions of the software, cybercriminals are sending phishing emails pretending to be invitations to Zoom or Microsoft Teams meetings, which contain malicious code or files.
What You Can Do
Meeting hijacking is something that is becoming more prevalent in the COVID-19 era. There are some ways that individuals can help prevent their meetings from being taken over by cybercriminals, including:
- Not making meetings public and requiring a meeting password or using a waiting room to control the guests in the meeting.
- Not providing links to the meeting on unrestricted, unprotected sites, such as social media.
- Ensuring screen share options are for the host only.
- Ensuring users are using the most up-to-date versions of remote access and meeting applications.
- Ensuring telework policies address requirements for physical and information security.
The unfortunate reality is that cybercriminals are taking advantage of the pandemic and leveraging the fear and changing reality we are all facing to further their agendas at the expense of an already weary population. As we continue to adapt to this new normal, we must remain vigilant to evolving cybersecurity threats. Through vigilance, we can all help ensure minimal disruption to teleworking.