Are you Aware of the Security Guidances on COVID-19 Cyberattacks?

Hackers...hackers everywhere! In the middle of the coronavirus, we are reading about them regularly. However, we are not aware of their next move. From healthcare to the education industry, cyberattackers are gaining a foothold in every landscape.

Attackers on a roll

Hackers and threat groups have consistent goals with long-standing priorities such as cyberespionage and “hack-and-leak” operations. Disguised as trusted entities, APT groups and cybercriminals are capitalizing on the COVID-19 pandemic by deploying a wide variety of ransomware and other malware. Their ill-natured maneuvers include leveraging coronavirus-themed phishing text/emails or malicious applications.

The annals of the COVID-19 cyberattacks

In the last few weeks, the number of cyberattacks has skyrocketed. For example, a series of SMS messages were found to use a UK government-themed lure to collect email, address, name, and banking information. Claiming to be from “UKGOV”, these SMS messages included a direct link to the phishing site.

Besides, the National Cyber Security Centre (NCSC) observed several emails leveraging the “Agent Tesla” keylogger malware. This email campaign started around mid-March and seemed to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General, WHO. A similar campaign was espied offering thermometers and face masks to deal with the COVID-19 outbreak. The email appears to have attached images of these medical products but instead carries a loader for Agent Tesla.

In other campaigns, emails enclosed a Microsoft Excel attachment (e.g., “8651 8-14-18.xls”) or included URLs to a page that contained a button that—if clicked—redirects to download an Excel spreadsheet, such as "EMR Letter.xls”. In both cases, the Excel file contained macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the “Get2 loader" malware, which has been observed loading the “GraceWire” Trojan.

Also, the "TrickBot" malware has been exploited in diverse COVID-19-related campaigns. For example, emails targeted Italian users with a document appearing to be information related to the coronavirus. The document enclosed a malicious macro that is capable of downloading a batch file (BAT) and launching JavaScript, which pulls down the TrickBot binary, executing it on the system.

Several organizations have suddenly deployed new networks and IT infrastructure, including VPNs to move their entire workforce to work from home. Cyberattackers are taking advantage of it and looking for ways to exploit the increased use of communications platforms such as Microsoft Teams or Zoom by sending phishing emails containing malicious files with names such as “zoom-us-zoom_##########[.]exe” and “microsoft-teams_V#mu#D_##########[.]exe”.

The rise in teleworking has also led to an increase in the use of Microsoft’s Remote Desktop Protocol (RDP). Recently, the attacks on unsecured RDP endpoints were widely reported online, and according to a recent analysis, there has been a 127% increase in exposed RDP endpoints. Without the right security measures, the increase in RDP use could potentially make IT systems more vulnerable to cyberattacks.

But how can we keep up with these attacks? Let’s find out!

The launch of security guidances

In order to keep the attackers at bay, several government security agencies such as FBI, DHS, CISA, and NCSC have stepped in and issued security guidances for a better security posture of individuals and organizations. Let’s learn about the different guidelines set out by the government security bodies.

A joint alert from the DHS CISA, and NCSC

This joint advisory from the DHS CISA, and NCSC provides information on exploitation by cyberattackers and APT groups of the COVID-19 global pandemic. It includes a comprehensive list of IOCs for detection and mitigation advice. The NCSC and CISA are working collaboratively with law enforcement and industry partners to disrupt or prevent these malicious COVID-19 themed attacks.

Phishing guidance for individuals 

The NCSC’s suspicious email guidance explains whom to contact if your account/device has been compromised and some of the mitigation steps you can take, such as changing your passwords. It also outlines tips for identifying a phishing email.

Phishing guidance for organizations and cybersecurity professionals 

Organizations that broaden their defenses to include extensive technical measures can improve resilience against phishing attacks. In addition, organizations should consider NCSC’s guidance that divides mitigations into four layers. According to CISA guidelines, companies can help their users identify and report suspected phishing emails. 

Communications platforms guidance for individuals and organizations

Looking at the malicious cyber attackers confiscating online meetings, the FBI has recommended tips for defending against online meeting hijacking.

The bottom line - Abide by these rulebooks

Organizations need to thoroughly scan and monitor their networks for any sign of compromise. Adhering to the security guidelines issued by different government bodies will help your organization deal with the chaos created by the cyberattackers. Following the CISA and NCSC guidelines will help both individuals and organizations mitigate the risk of malicious cyber activities related to COVID-19.