DHS and UK’s NCSC Warn of Numerous COVID-19 Related Cyberattacks from APT Groups and Other Hackers
It’s a storm of COVID-19 themed cyberattacks. Phishing emails, malicious text messages, malware, spoofed websites, video conferencing app exploits, and VPN vulnerabilities are all in play by hackers trying to exploit COVID-19 fears and the new work-from-home workforce. Every day there is a new variation of COVID-19 cyberattack. As the Coronavirus wears on, hackers are hard at work trying to scam people out of money and data.
The United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert concerning numerous cyberattack using COVID-19 themed messaging. Both APT groups and cybercriminals are operating with a growing arsenal of malwares, phishing email campaigns, and conferencing app exploits. The sudden increase in working from home due to COVID-19 and the use of conferencing apps and virtual private networks (VPNs) provides more targets for hackers to exploit.
Both CISA and NCSC are seeing a growing use of COVID-19-related messaging by malicious cyber actors. Individuals, small businesses, medium enterprises, hospitals, and large organizations are all being targeted by hackers. Defense and mitigation advice from DHS and NCSC follow.
The alert states, “To create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with “Dr.” in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization’s human resources (HR) department and advise the employee to open the attachment.”
Coronavirus Cyberthreats include, but are not limited to:
- Phishing emails with COVID-19 messaging
- Malware attacks using COVID-19 emails impersonating official health agencies or governments
- Malicious website with coronavirus or COVID-19 themed names
- Attacks against video conferencing apps, VPNs, and other telecommuting tools
There are two running lists of current threats on GitHub and Reddit
Smartphones are susceptible to these cyberattacks too. A malicious Android app that claims to be a real-time Coronavirus tracker is actually a rogue app that tricks the user into granting admin rights then infects the phone with CovidLock ransomware.
What is an APT Group?
APT Group is short for Advanced Persistent Threat Group. APT groups are organized, professional groups of hackers that work for nation-states. Often these APT groups hack IT networks of major corporations, political organizations, and other governments. APT groups are highly skilled and generally work with a low-and-slow strategy and may steal sensitive data from a target for years before detection. APT groups work to steal money to fund other operations for their sponsoring government or for espionage. Hackers may also impersonate banks or other financial institutions familiar to the target in order to gain trust.
- FBI Reports Rise in Fraud Related to Coronavirus (COVID-19)
- Saturday Sitrep: Coronavirus and Russian Botnets
- Chinese Hackers Launch Coronavirus Malware Attacks
- FormBook Malware Exploits Coronavirus Outbreak Fears
Summary of COVID-19 Related APT Cyberattacks
Currently there are numerous reported phishing emails, malware, and SMS text messages using COVID-19 themed messaging in an attempt to exploit people fears and concerns. Many of the messages are impersonation scams where with phishing emails that purport to be from official agencies, like the World Health Organization (WHO) or US Center for Disease Control (CDC)
COVID-19 Phishing Scams
Both cybersecurity agencies report email phishing campaigns using subject lines with supposed Coronavirus Updates or reports of a confirmed case or outbreak in the recipient’s area. These campaigns are designed to steal sensitive data like account usernames, passwords, or payment card information.
Video Conferencing Apps
The sudden increase in working from home has brought an increase in attacks on conferencing apps and virtual private networks. DHS reports an increase in attacks on Zoom or Microsoft Teams. Hackers send call meeting invitations with spoofed domain names and fake meeting IDS. In other attacks, hacker glean dial in information from unsecured websites and communication and hijack video calls and online classrooms that have been set up without security features like PINS or passwords.
Virtual Private Networks
If that’s not enough, hackers are exploiting known vulnerabilities in Pulse Secure, Fortinet, and Palo Alto virtual private networks (VPN) services. CISA and NCSC both have observed actors scanning for a known vulnerability, CVE-2019-19781, in Citrix which was reported in January 2020.
COVID-19 SMS Phishing Scams
Britain’s NCSC reports that hackers are also using SMS text messages with UK government and stimulus payment themed messaging.
Tapping the link in the text message sends the victim to a fake UK government themed website that steals emails, physical addresses, names, and banking information when the user enters the information on the website.
Messaging apps like WhatsApp have also been used to send scam messages.
Hackers use the phishing emails and messages to send victims to spoofed websites. These scam websites are designed to look just like banks, government websites, Gmail, or Microsoft email services. The websites may appear legitimate and contain COVID-19 information in an attempt to trick the reader into thinking the website is legitimate.
If the user enters any information such as bank account details, passwords, or other sensitive data it is sent to the hacker.
Still other spoof website may download malware to the readers computer or phone. Malwares seen in attacks include Agent Tesla and HawkEye, both of which are keylogger malwares (a type of malware that records all keystroke from the infected device) Email attachments have installed Get2 loader malware which in turn downloads GraceWire Trojan. TrickBot malware has also been observed. According to the alert, “In many cases, Trojans—such as Trickbot or GraceWire—will download further malicious files, such as Remote Access Trojans (RATs), desktop-sharing clients, and ransomware.”
Typical Phishing Tactics
Beware of emails, texts, messages or websites that use:
- Authority – COVID-19 phishing emails frequently claim to be from the CDC, WHO, doctors, or agencies to fool the reader into following their directions
- Urgency – Do you have to act now or face a penalty?
- Emotion – Does the message incite panic, fear, worry, or other emotion. Beware of threats or false claims
- Scarcity – Fear of missing out can cause you to act without thinking
These cyberattacks rely the target following instructions in a phishing email – like click on a link or download an email attachment – to further the attack. Phishing emails are worded to frighten the recipient or lure the reader with curiosity.
READ our other posts on economic stimulus payment scams and other details on Coronavirus scams.
- Be especially cautious with any email or SMS text message that uses subject lines that contain COVID-19-related phrases such as “Coronavirus Update,” “2019-nCov: Coronavirus outbreak in your city (Emergency),” “Stimulus Checks,” “Stimulus Payment,” or “Coronavirus stimulus payment”
- NEVER click on any links in email from people you don’t know, even if the email claims to be from a doctor or other health organization
- Do not tap links in apps that may lead to a phishing website
- Never click on or download email attachments from people you don’t know or if you were not expecting something to be sent to you. Email attachments can be used to send malware, including ransomware