Advisory Overview
Hacking groups are still exploiting the COVID-19 pandemic as an opportunity to perform cyber-attacks. The United States’ CISA and the United Kingdom’s NCSC teamed up to issue a joint alert to the top threats. Recommendations are focused on user training and good cyber hygiene. A comprehensive list of recommendations can be found on the CISA website.
Technical detail and additional information
What is the threat?
Many advanced persistent threat (APT) groups are leveraging the COVID-19 outbreak to perform malicious cyber-attacks and aid their operations. These groups will disguise themselves as trusted entities to disseminate Coronavirus-related phishing attempts or malicious applications. These campaigns are consistent with previously observed priorities for these APT groups, mainly espionage and “hack-and-leak” operations. In addition, cybercriminals are continuing to use similar COVID-19 themes to distribute malware, send phishing messages with Coronavirus-related lures, register new domains related to COVID-19, and continuously probe for vulnerabilities in the many work from home applications that are now ubiquitous.
Why is this noteworthy?
A global pandemic in which the overwhelming majority of the work force has been confined to their homes, for remote work or otherwise, is a prime period for cybercriminal and APT activity. An unprecedented number of people are now working remotely and using the internet. While the subject matter that is disguising these attacks has changed, the technical aspects of them stay the same. Malicious actors are still using many social engineering techniques but are now preying upon a desire to stay informed and protect against the outbreak to further their attacks. Numerous vectors of attack have been observed; from phishing emails or SMS posing as free “relief funds” to combat unemployment, applications mapping “outbreaks in your area”, malicious domains with typosquatted names and many more.
What is the exposure or risk?
The risk of falling victim to one of these various attack vectors is standard, with the notable matters for this vulnerability being related to the attack vectors and not the post-compromise damage. The exception to this is of course vulnerabilities in teleworking applications. If you were to be successfully phished your personal or work-related credentials could be compromised and used to launch further attacks or be sold off. If you were to install a malicious application or open a malicious attachment, it could lead to any number of different compromises including but not limited to ransomware (such as the infamous TrickBot), remote access trojans (RATs), keyloggers, and more. In addition to these typical attack vectors, many previously undiscovered vulnerabilities in popular teleworking applications are being discovered. These applications can be insecurely configured to allow unauthorized access, or have one of their vulnerabilities leveraged, or even have lookalike malware distributed as one of these legitimate applications with similarly malicious results.
What are the recommendations?
To combat these threats, the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) have released a joint alert to raise awareness and provide mitigation tactics for individual users and organizations alike. The link to these remediations and mitigation tactics can be found below:
References:
For more in-depth information about the recommendations, please visit the following link:
- https://www.us-cert.gov/ncas/alerts/aa20-099a
If you have any questions, please contact our Security Operations Center.
