Hackers, APTs Exploiting COVID-19 with Phishing Attacks, Fraud Schemes

April 09, 2020 - Cybercriminals and advanced persistent threat (APT) groups are exploiting the Coronavirus pandemic with COVID-19-related scams and phishing attacks, according to a joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and UK National Cyber Security Centre (NCSC).

CISA and NCSC have both seen an increase in schemes related to the pandemic, while the increase in remote work and telehealth have expanded the attack surface and the risk to enterprises through vulnerable endpoints, such as Virtual Private Networks (VPNs).

Calling it a “fast-moving situation,” the cyber agencies provide both a summary of prominent attacks and mitigation techniques.

“APT groups are using the COVID-19 pandemic as part of their cyber operations. These cyber threat actors will often masquerade as trusted entities,” officials warned. “Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised.”

“Their goals and targets are consistent with long-standing priorities such as espionage and ‘hack-and-leak’ operations,” they added. “Both APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months.”

READ MORE: Another COVID-19 Research Firm Targeted by Ransomware Attack

Hackers are leveraging ransomware and other malware through phishing lures, malware distribution, domain registration tied to COVID-19, and attacks against new, and often rapidly deployed, remote access and teleworking infrastructure.

CISA and NCSC warn these threat actors are relying on social engineering to entice users to carry out specific actions. As Proofpoint recently reported, these attacks are highly sophisticated, targeting human nature and exploiting people. As a result, detection is difficult, which means cyber defenses must be focused on people to prevent falling victim, not technology.

The latest campaigns are banking on fear and curiosity around the pandemic to entice users to click on links, download apps that lead to phishing websites, or even download malware or ransomware.

“For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install ‘CovidLock’ ransomware on their device,” officials explained.

“To create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization  or an individual with ‘Dr.’ in their title,” they added.

READ MORE: COVID-19 Business Email Compromise Schemes, Ransomware Escalating

Multiple phishing samples contain links to fake login pages, while other emails will appear to be sent from the organization’s human resources department. The agencies have seen a large volume in Coronavirus-related phishing and SMS phishing attempts.

A large number of threat actors are ramping up phishing efforts for credential theft and malware deployment, as well, leveraging social engineering often complemented with urgent language to further entice the user to engage in risky behavior.

The agencies provided several examples, including campaigns that appear to be sent from the WHO General Director and others that offer thermometers or face masks to fight the epidemic.

“In other campaigns, emails include a Microsoft Excel attachment or contain URLs linking to a landing page that contains a button that—if clicked—redirects to download an Excel spreadsheet, such as ‘EMR Letter.xls’,” officials explained.

“In both cases, the Excel file contains macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the “Get2 loader" malware,” they added.

READ MORE: FBI: COVID-19 Spurs Increase in Zoom, Video-Conferencing Hijacking

Hackers are also leveraging the notorious Trickbot malware: a notorious backdoor threat known to later install ransomware payloads. CISA and NSCS have detected emails targeting users with documents purporting to share information related to the virus, which contain malicious macros that later installs malware.

Lastly, the agencies warn hackers are taking advantage of the rapid increase in remote work, exploiting known VPN vulnerabilities and Citrix server flaws. DHS earlier warned hackers were targeting Citrix vulnerabilities through its Application Delivery Controller and Gateway. Researchers detected an increase in scans seeking to find the flaw in the wild.

Last year, vulnerabilities were disclosed in some of the most popular VPN platforms, which received several repeated alerts to patch throughout the year. However, by January 2020, thousands of these vulnerable platforms remained unpatched.

Hackers are also targeting the increase use in videoconferencing platform, which echoes recent warnings about the Zoom platform.

The alert is just the latest warning from Federal agencies and security researchers that hackers are not slowing their attacks in the wake of the pandemic but are rapidly increasing targeted attacks to exploit the pandemic for their financial gain.

The FBI has warned of an expected increase in business email compromise schemes, as well as targeted hijacking attempts of Zoom and other videoconferencing platforms. Interpol and Microsoft have warned threat actors are targeting the healthcare sector with ransomware.

Meanwhile, security researchers have continued to release insights into ongoing phishing and fraud schemes tied to the Coronavirus, as well as targeted DNS router hijacking attacks.

CISA and NSCS are urging organizations to look into agency guidance around COVID-19 cyber scams, as well as phishing guidance to prevent falling victims. JAMA research has shown phishing education can drastically reduce cyber risk.

NIST has sound guidance around ransomware and other data integrity attacks, while Barracuda Networks has a deep dive into business email compromise techniques. And for healthcare, as telehealth and remote work continues to expand, privacy and security should be top of mind through tech and processes.