The Bedel Security Blog

Top 5 Ways Cybercriminals are Exploiting COVID-19

Written by Stephanie Goetz | Apr 10, 2020

We knew this was coming; in my inbox today landed the threat intelligence we have been expecting, which is the most common ways cybercriminals are using fear and uncertainly to hack people and businesses.  In summary, it’s the same old tricks, but with new bait.  As you can imagine, this is the major news focus for everyone currently so it’s only the beginning of this theme.  Empower and educate yourself, employees, family and friends with the breakdown below. 

Here they are based on CISA’s Alert (AA20-099A):

  1. Phishing- Examples of commonly used subject lines include:
  • 2020 Coronavirus Updates,
  • Coronavirus Updates,
  • 2019-nCov: new confirmed cases in your City, and
  • 2019-nCov: Coronavirus outbreak in your city (Emergency).

As all successful phishing emails do, there is a call to action- most commonly to visit a website poised to steal personal, credit card and usernames and passwords.

Recommended Actions:  Many security education platforms released COVID-19 phishing email templates a couple weeks back so if you haven’t already, seize the moment and send them out to remind your users to be skeptical of these emails.  It also wouldn’t hurt to make sure your email system filters are enabled, up to date and quarantining suspicious messages.

  1. SMS Phishing- While these are not as common as email phishing, SMS or text message phishing is also a current target. Historically, SMS phishing has some financial incentive for users to click a link, such as a payment, rebate or gift card.  This time cybercriminals are harnessing government payments in response to COVID-19 and typically send victims to a website to collect personal information and banking information.

Cyber criminals are also starting to pick up on other messaging services as well so keep your guard up on other platforms.

Recommended Actions: Spread the word that COVID-19 relief payments will not be solicited from common messaging services.  Reach out to reliable resources and news channels to understand relief payment terms. 

  1. Malware- Sometimes attached to those phishing emails are files or links with malware that do some of the information gathering without users known actions. A campaign from March 19, 2020 appears to be sent from a World Health Organization Director-General, Dr. Penelope Marchetti.  The email offers thermometers and face masks and contained in the attachment with photos of the products are a keylogger malware, Agent Tesla.  Other malware variants, such as GraceWire and TrickBot are used in email attachments. Of course, ransomware has also been used as often deployed in stressful times to increase the likelihood of payment.

Recommended Actions:  In addition to actions in the phishing section above, ensure your antivirus is enabled and up to date, your systems are backed up in a separate location or network from your production network and your email is configured to identify and quarantine malicious attachments.

  1. Malicious sites- Be aware that attackers are currently registering new domain names containing wording related to coronavirus or COVID-19. The alert did not contain many details, but it is likely that they would be used to capture financial information and credentials.

Recommended Actions:  Check the site address for misspellings or other strange structure or red flags.  Go to the site directly, not through a shared link.  Using webfiltering capabilities for known malicious sites may also help but may not be a perfect solution as these take time to discover and report malicious sites. 

  1. Attacks against newly deployed teleworking infrastructure- Rapidly deployed networks, VPNs, and other ways to accommodate shelter in place orders offer many opportunities for cybercriminals. They are targeting known vulnerabilities, notably Citrix CVE-2019-19781.  Other known vulnerabilities mentioned as favorite targets are VPN products from Pulse Secure, Fortinet and Palo Alto. 

Other targets are conference meeting platforms, including Zoom and Microsoft Teams either by phishing emails with file names including the platform and numbers in executable files in addition to hijacking meetings without passwords or unpatched software versions. 

Recommended Actions: Keep infrastructure and software patched and patch solutions prior to deployment.  Secure conference meetings with passwords and use online waiting rooms to admit participants or other security controls where available in your platform of choice.

If you need help to keep your security program in step with the new COVID-19 threat landscape, we would love to help.  Contact us at  support@bedelsecurity.com or 833-297-7681.

Also, be on the lookout in the next week for a new free resource we're developing to help institutions with some of the new risks they're taking on during this time!

 

Resources:

Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment 

It's a Bad Time for a Cyber Breach
https://www.bedelsecurity.com/blog/its-a-bad-time-for-a-cyber-breach

Remote Work Security
https://www.bedelsecurity.com/blog/remote-work-security

Update: What We're Seeing From the COVID-19 Pandemic Planning Front
https://www.bedelsecurity.com/blog/update-what-were-seeing-from-the-covid-19-pandemic-planning-front

 
View full post