//Blogs - 18 Mar 2020
COVID-19 Cyber Threats: Observations, OSINT and Safety Recommendations
Here at AusCERT, we have been regularly covering appropriate COVID-19 (aka coronavirus) articles and its development in the various editions of our AusCERT Daily Intelligence Report (ADIR) and Week in Review (WIR) emails.
The purpose of this blog post is to:
- Remind readers that it is common for threat actors to use the most compelling or big news topics of the times to be used in malspam attacks to incite their targets to open a crafted attachment linked to a website.
- Inform readers of the various vectors or attack angles that threat actors have deployed using COVID-19 as their theme so they (organisations) can make informed decisions and take appropriate actions.
AusCERT have been made aware from either direct reports or via OSINT research that related threats have been seen relating to emails, mobile apps, web-applications; and social engineering scams.
Some articles have pointed to the need for minitoring anomalous remote access attempts.
Summary of general recommendations
AusCERT's recommendations to aid resilience during these times of COVID-19 themed attacks are as follows:
- Avoid clicking on promotional links in emails
- Beware of COVID-19 related phishing schemes and fake alerts/health advisories
- Don’t click on baits such as an "80% discount on an exclusive cure" or "treatment for coronavirus"
- Enforce multi-factor authentication where possible
- If there is some general information that can be found searching through an online search, do that instead of clicking the link from a suspicious sender.
- If unsure about the authenticity of a website, don’t proceed with any login procedures
- Log all remote access events
- Monitor data exfiltration points
- Monitor for land speed anomalies or credential sharing
- Monitor remote access devices
- Organisations should ensure VPN and RDP servers are up-to-date
In more detail, we reiterate that COVID-19 as the latest trending news has been no exception to the trend of opportunistic crime. When threat actors consider which lures to use on their campaigns; it is no wonder that any related permutation of an event relating to COVID-19 will likely be very attractive.
AusCERT has been made aware of Australian organisations receiving malspam related to COVID-19 as a subject header. Some (non exhaustive) examples include:
- Working from home statements from supervisors
- Recommendations to avoid infection
- Statements from Health Authorities (World, Federal, State or Employment related)
One recent example showed an email disguised to be from the Director of Milan University surfaced in the pretense of steps to be undertaken to prevent further spread of the virus. The threat actor motivation became clear when a malicious URL link asked for the user login details and password.
Another sophisticated attack method that researchers reported contained an MS Word document from the World Health Organisation with an embedded URL that lead to a fake MS Office website.
Threat actors are cloning, impersonating or crafting websites to facilitate their COVID-19 related scams. Researchers have found that more than 4000 COVID-19 related domains were registered globally. Of those, around 5% could be malicious and an additional 5% are suspicious.
A recent example as reported by industry journalists from security organisations and featured in a recent edition of our ADIR; stated that a clone of the (legitimate) Johns Hopkins University coronavirus map was used to spread malware. This is a call for people to be careful about which websites to trust.
In addition to this, security researchers at Malwarebytes reported finding malicious code hiding behind the fake website that claimed to have the look-and-feel of the legitimate map yet able to show an up-to-date global heatmap of COVID-19 reports. Malwarebytes reported that the malicious code skims for passwords and credit card details, as a variant of the AzorUlt spyware.
Advice is to be sure to only use trusted AND verified information sources from government and research institution’s websites.
Social media users need to be wary of two specific scams that are likely to play off the current COVID-19 situation.
The first is fake fundraising initiatives. "Fundraising" threat actors will use stories and images of real people to tap into society's pathos. Notably, these scammers will utilise legitimate fundraising platforms like GoFundMe to solicitate donations. Be cautious of any individuals asking for donations.
The second threat for COVID-19 related scams deals with investments. As the Securities and Exchange Commission (SEC) recently warned, criminals will use social media to promote microcap stocks which they claim have a product or service that can help prevent or treat COVID-19 patients. These are what is known in industry as pump-and-dump scams that could cost investors a lot of money. Be sure to perform some independent research. A quick search will help clear any cloudiness about the proposed investment.
In conclusion, stay alert on social media. Even though these websites are intended for social interactions and help people connect to each other in times of need, stay conscious when scrolling through your news feed.
Malware and mobile apps
Lures of downloading mobile apps related to COVID-19 have also turned into a suspicious platform. The use of these tactics have been seen to be used at every level of the threat actors and encompasses the spreading of a well-known set of malware.
It is important to ensure that a high level of vigilance is used on any related malspam. This is even more so for any workforce that is going to be working from home as there may be further limited channels to cross check statements from emails.
Recorded Future recently observed an extensive list of actors and malware employing various techniques' including Trickbot, Lokibot, and Agent Tesla, targeting a broad set of victims, including those in the USA, Italy, Ukraine, and Iran in particular. Threat actors have also endeavoured to gain the trust of victims using branding associated with the U.S. Centres for Disease Control and Prevention (CDC) and the World Health Organization (WHO), as well as country-specific health agencies such as the Public Health Centre of the Ministry of Health of Ukraine and China’s Ministry of Health, and companies such as FedEx.
COVID-19 Android ransomware application such as Covidlock have impacted individuals and has been subject of industry analysis. The Covidlock application was named as such because of the malware’s capabilities and its background story. It uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware.
Please ensure that you download mobile applications only from official stores (Apple/Android). There is a much higher risk of downloading malware from untrusted 3rd party stores.
Often the COVID-19 campaigns are highly convincing due to cyber criminals using professional phishing kits. For example, these kits are programmed to use perfectly matched logos and email formats of legitimate organisations. Additionally, threat actors will incorporate “combosquatting” and “typosquatting” tactics to fool users into thinking the link is legitimate.
One example of typosquatting is when an attacker uses popular domains that are misspelled incorrectly but look like real a domain name. For example, faecbook.com or wellsfagro.com. Combosquatting and typosquatting have similar tactics used to fool users, however, the domain name is appended with -security. For example, wellsfargo-security.com or security-chase.com. Notice the domains are not misspelled but prepended or appended with the word security.
Phone and text messages
Threat actors are already impersonating the UN’s health agency to carry out a variety of scams, from account takeovers to phony donation requests and the spread of malware. The FTC is also warning of spoofed emails, text messages, and phone calls that claim to be from the Centre for Disease Control (CDC).
Advanced Persistent Threat (APT)
Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current COVID-19 scare, in order to deliver a previously unknown malware implant to the target. This specific campaign leverages the COVID-19 pandemic to lure victims to trigger the infection chain. The attackers updated their toolset from documents with macros and older RTF exploits to the latest variation of the RoyalRoad RTF exploit-builder observed in the wild.
By taking a closer look at the campaign, Checkpoint was able tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.
We highly recommend readers review this report. Checkpoint provides a full analysis of the TTPs utilised throughout this campaign, the infrastructure, and the new tools they uncovered during their research, of what they believe to be a Chinese-based threat actor.
Royal Road – Specifics/IOCs
Royal Road is an RTF weaponiser, sometimes called "8.t RTF exploit builder". This tool is shared between multiple threat actors and is known to exploit:
The RTF file has a various of characteristics that help with attribution. There are many threat actors who use Royal Road, of whom can be divided into three groups and suppose connections between actors.
To review documented IOCS – see “Appendix-1: IOC” in the article that follows.
COVID-19 Scams: further industry analysis
Wired published an interesting article associated with coronavirus phishing scams.
“It's not surprising that they would attempt to incorporate the coronavirus into that playbook so quickly. But the move illustrates how phishing attempts so consistently hew to certain time-tested topics and themes”.
The article went on to describe that “the success rate of seasonally themed phishing emails pales in comparison, though, to those pegged to a critical world event. People living through Brexit uncertainty or a natural disaster have disproportionate questions and concerns. Attackers can exploit those fears and doubts by suggesting they have answers”.
The takeaway is to always be aware that “email scammers often try to elicit a sense of fear and urgency in victims”.
As of March 11, 2020 Recorded Future following their own analysis believe that COVID-19 has been primarily used by cybercriminals as a theme for phishing lures. However, they observed that at least three cases where reference to COVID-19 was leveraged by possible nation-state actors. They assessed that as the number of COVID-19 cases, as well as publicity around the virus rises globally, both cybercriminals and nation-state actors will increasingly exploit the crisis as a cyberattack vector.
They further assessed that:
- “Cybercriminals will often use the branding of “trusted” organisations in these phishing attacks, especially the World Health Organization, in order to build credibility and get users to open attachments or click on the link”
- “For the duration of the outbreak, COVID-19 will continue to be used as a lure, and that new versions of these lures targeting new countries will emerge”
Their analysis is interesting reading and in-depth, therefore readers should consider reading the full analysis available via the following link.
Now that we've covered a list of observations and OSINT findings above, let's look at the following safety recommendations from ACSC, ASD and US-CERT:
Australian Gov: ACSC and ASD
In their article Cyber security is essential when prepping for COVID-19, the ACSC suggested considerations should be made to incorporate a set of defined proactive strategies to address cyber threats, which include those associated with COVID-19, quoting the ASD:
“The Australian Signals Directorate (ASD) would like to remind you to incorporate cyber security into your contingency planning. As more staff may work from home, and the use of remote access technology increases, adversaries may attempt to take advantage. ASD's Australian Cyber Security Centre (ACSC) encourages Australians to remain vigilant and ensure sound cyber security practices.”
USA Gov: US-CERT
Organisations should be vigilant to COVID-19 themed cyber threats and consider your enterprise VPN security as it relates to staff working remotely (teleworking).
The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19 related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
CISA encourages individuals to remain vigilant and take the following precautions:
- Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
- Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
- Review CISA Insights on Risk Management for COVID-19 for more information.
US-CERT further addressed the case for enterprise VPN security within their security bulletin reference Alert (AA20-073A).
As organisations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organisation’s information technology (IT) network. As organisations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organisations to adopt a heightened state of cybersecurity.
CISA encourages organisations to review the following recommendations when considering alternate workplace options
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.
- Alert employees to an expected increase in phishing attempts.
- Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery.
- Implement MFA on all VPN connections to increase security.
If MFA is not implemented, require teleworkers to use strong passwords.
- Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritise users that will require higher bandwidths.
Individuals and organisations should expect to see a wide range of COVID-19 related phishing emails, smishing (text message phishing), and phone fraud scams over the coming weeks.
These scams will focus on our insecurities about how the virus is spreading. The scams can take on several forms - for instance, fake health agency warnings about infections in your local area, vaccine and treatment offers, and alerts about critical supply shortages.
In particular, individuals should avoid clicking on promotional links in emails. Don’t click on baits such as an "80% discount on an exclusive cure" or "treatment for coronavirus"
If unsure about the authenticity of a website, don’t proceed with any login procedures. If there is some general information that can be found searching through an online search, do that instead of clicking the link from a suspicious sender.
Organisations should enforce multi-factor authentication where possible, and ensure VPN and RDP servers are up to date. IT/Security teams should log all remote access events and monitor data exfiltration points, monitor for land speed anomalies/credential sharing and monitor remote access devices.
If there is any doubt to a received item, individuals should reach out to the appropriate teams within their organisations for reassurance.
Organisations should be vigilant to COVID-19 themed cyber threats. Any organisation that believe they have been victim to a targeted attack should contact the ACSC.
And in turn, all AusCERT member organisations know they can reach out to us here at AusCERT for further assistance. We are here to help.
In the meantime during this time of change and challenge, please stay safe in both our physical and virtual worlds.
All the best,
Colin Chamberlain CISSP
Principal Analyst, AusCERT