COVID-19 Cyber Threat Indicators
COVID-19 has produced a worldwide physical virus scare that has everyone on edge. Unfortunately, Hackers have not wasted any time in capitalizing on taking advantage of those suffering from the deadly effects of COVID-19. To prevent further compromise, you must take precautions within your corporate networks to implement safeguards against the following described threat vectors that have been observed in the wild. These malicious outsiders are preying on the vulnerable that are desperately seeking help or guidance.
Phishing behavior indicators
When the COVID crisis first launched, there were an observed 5000 unique domains created within the first 96 hours of the initial onslaught. These domains utilized key buzzwords related to what the media used to describe the COVID-19 crisis.
Popular words observed:
- Stimulus checks
The average business can expect to receive around 300-400 external emails per day concerning the COVID crisis. Impersonation attempts have been discovered involving hackers weaponizing malicious weblinks to redirect users to fake sites. Some of these impersonations include the CDC (Centers for disease control and prevention) and internal company Human resources departments communicating phony information related to safety measures, work from home policies, and accounts payable.
In the past several months, the number of campaigns observed has quadrupled. These campaigns were seen in the following three waves:
Wave 1: Coronavirus scare includes symptoms and how to self-diagnose.
Wave 2: Focused on delivering hopes for a cure/vaccine by using disease progress statistics, but also observed several scare tactics around how to care for children at home and the impending market crash.
Wave 3: Mostly tailored to stimulus relief checks and subjects on workforce reduction around the country and stay at home reopening.
An example of a popular phishing theme that was sent around was from the CDC, which prompted users for their OneDrive credentials to view a sensitive document sent over OneDrive. Once credentials are entered, users immediately saw an uptick of emails being forwarded to an unknown Gmail account. Another trending email was in the form of embedded one drive or google drive links that redirected users to a malicious site that injects a payload. These links were disgusted as a “download PDF” link advertised around a local business “COVID-19 relief plan”. The overall objective of using the drive links is that it bypasses healthy email security controls.
Several other examples have been observed, but ultimately over the past 30 days, we have seen the following domains leading the charge in terms of phishing campaigns.
A couple of recommendations that have helped users protect against COVID phishing campaigns are as follows:
- Pay close attention to email senders addresses for spellings and errors, especially from executives that usually wouldn’t email everyone.
- Have a reporting procedure in place so employees can send suspicious emails to the security team for review.
- Ensure the security team can integrate email gateways, endpoint protection, and DNS data sources into threat chains that span across the entire attack kill-chain lifecycle (recon, delivery, exploit, execute, and exfiltration).
Malware detection indicators
An active unnamed malware campaign has been discovered that poses as a coronavirus activity map (that provides legit data), but in the background of the user machine will attempt to gather credentials. Activity to look for includes the unauthorized access to local SAM files, followed by a spike in outbound traffic to a botnet channel hidden behind a CloudFront hop point.
There is also a rise in employee workstation compromises with the increase in the number of employees working remotely during this time. It is strongly advised to ensure all anti-virus software is installed and updated. The use of password protection software (MFA) to provide credibility and the use of a VPN connection when connecting to work-related resources.
Insider threat behavior indicators and VPN monitoring
With the increased remote workforce, security teams must focus on monitoring efforts around the following activity to ensure all business is valid.
- Phishing emails received followed by malicious DNS traffic (threat feed should be ingested into SIEM to streamline this process)
- Continuous unapproved MFA requests within a given time
- Credentialed logins to multiple sources within a given timeframe
- Any local changes to critical files on workstations
- Count of VPN users compared to total active users (Enforce VPN)
The most critical activity to monitoring is your bytes in and bytes out from your user/server devices. Specifically, being able to calculate any new connections made within the past 24 hours to 7 days will help give you a baseline of what is normal. If not created already, a network-level Firewall blocklist should be created, and IPs added that are continually showing up as new communication that exceeds your bytes in/out threshold.
Protecting your company assets and employees is the number one goal. COVID-19 has taken a toll on everyone’s physical and emotional state. Ensure you have the controls mentioned above, and in place, monitoring is the only way to detect and mitigate COVID based attacks effectively.