Alert Offers Guidance against Coronavirus-Related Cyber CrimesApril 14, 2020 | Shari Claire Lewis |
It seems that, even in the worst of times, cyber criminals will find a way to exploit the situation to their advantage.
The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NSCS) have jointly issued Alert (AA20-099A) entitled. “COVID-19 Exploited by Bad Actors.” (Alert) It addresses the corona virus emergency’s exploitation by cybercriminals to further their nefarious schemes.
Written in accessible language and not overly technical, the Alert offers examples of the risks and responses that average technology users may find useful. It is available at https://www.us-cert.gov/ncas/alerts/aa20-099a
The following are some of the Alert’s most salient points.
Exploitation of the Pandemic by Cybercriminals
The COVID-19 pandemic is the latest tactic used by bad actors to launch their schemes. The Alert particularly identifies the following threats:
- Phishing, using the subject of coronavirus or COVID-19 as a lure,
- Malware distribution, using coronavirus- or COVID-19- themed lures,
- Registration of new domain names containing wording related to coronavirus or COVID-19, and
- Attacks against newly – and often rapidly – deployed remote access and teleworking infrastructure.
The Alert warns that bad actors frequently masquerade as trusted entities, such as by using “spoofed” email addresses or SMS texts to pretend to be an organization, like the World Health Organization, or an individual with a “Dr.” in their title. The victim is thereafter encouraged to download an app, click on a link or open a file. The malicious attachments frequently have names that on their face appear to relate COVID-19. These phishing campaigns result in malware deployment, (such as ransomware, Trojan horses, key-loggers, desktop-sharing programs, etc.) and/or “credential theft”, (by tricking the victim into disclosing identifying information, such as passwords, account information, personally identifiable information, etc.).
Bad actors have also been quick to exploit vulnerabilities in new and often hastily instituted teleworking networks and programs. Unfortunately, many of the best known and frequently used tools, such as certain VPNs (virtual private networks), Microsoft’s Remote Desktop Protocol, Citrix, communication platforms such as Zoom or Microsoft Teams, etc. have known vulnerabilities that hackers are quick to exploit unless the networks and programs are established in their most up-to-date versions and with the right security measures in place.
What Can Be Done
The Alert provides a variety of resources that may be useful to understand and respond to COVID-19 related cyber threats. First, the Alert contains a “non-exhaustive” list of coronavirus-related “Indicators of Compromise.” The list includes links to both CISA and NCSC compilations as well as publicly available information from private sources. Because the links may be fairly technical, this section may be most useful to an organization’s cybersecurity team.
The Alert’s section on mitigation is more accessible to all individuals regardless of their technical sophistication. It provides links to both CISA and NSCS guidance regarding how best to defend against and respond to COVID-19 scams. It also sets out some clear recommendations.
In “Phishing Guidance for Individuals,” the Alert links to the NCSC’s suspicious email guidance, which details what to do if you have already clicked on a suspicious link. It also sets forth the NSCS’s Top Tips for Spotting a Phishing Email:
- Authority – Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.
- Urgency – Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
- Emotion – Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
- Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
Next, the Alert provides “Phishing Guidance for Organizations and Cybersecurity Professionals.” It notes that many organizations overly rely on individual employees spotting suspicious emails and suggests that organizations also follow NSCS’ “four layers, on which to build defenses,” i.e.:
- Make it difficult for attackers to reach organization’s users.
- Help users identify and report suspected phishing emails.
- Protect your organization from the effects of undetected phishing emails.
- Respond quickly to incidents.
The Alert concludes with “Communications Platforms Guidance for Individuals and Organizations.” It notes that malicious actors have aggressively hijacked online meetings conducted on platforms like Zoom or Microsoft Teams and recaps the FBI’s suggestions to secure online meetings:
- Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screensharing options. Change screensharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications.
- Ensure telework policies address requirements for physical and information security.
We recommend that individuals and organizations read the Alert so that they can recognize the dangers and take the recommended steps to help protect their computers and networks during the COVID-19 pandemic.
- Shari Claire Lewis