Secureworks® Counter Threat Unit™ (CTU) researchers are tracking multiple coronavirus-themed campaigns across customer telemetry and third-party reporting.
There is clear evidence of well-established cybercriminal and government-sponsored threat actors leveraging general interest in COVID-19 to entice victims to open malicious links and attachments. CTU™ researchers have observed government-sponsored hackers weaponizing coronavirus-themed Office documents and sophisticated criminal operators targeting critical infrastructure and organizations in areas hit hard by the pandemic.
The fundamental business model and revenue generation of these sophisticated criminal groups does not really change as a result of the global pandemic. But fear, uncertainty, and a thirst for information about the current situation increases the number of potential victims and the likelihood of successful attacks.
In a nutshell, contrary to what more sensationalistic voices may be saying, Secureworks has not seen an overall increase in cybercriminal activity as of April 8th, but it has seen evidence of threat actors using the COVID-19 pandemic to lure people into clicking links, opening files and exposing themselves to dangerous ransomware.
Don Smith, Senior Director Cyber Intelligence, Secureworks, says: “At this time of panic and anxiety in many areas of everyday life, it’s important for us to be a sensible, honest voice that is sharing what is actually happening, based on telemetry and third-party reporting, rather than sensationalistic conjecture and hypothetical worst-case scenario situations. The world is vastly different than a couple of months ago and that has put people on edge.
“Now is not the time for industry experts to add fuel to the fire by sharing information and opinion that is not only incorrect but adds to the anxiety many are facing. Yes, businesses and consumers need to be aware that cyber criminals are now posing as local governments, charities and trusted organisations, but that is ever present in today’s society. Getting security basics right is just as important now as it has been for the past decade, we should focus energies on ensuring those basics are in place,” he added.
CTU researchers recommend that organizations apply the following mitigations for coronavirus-themed threats. Many of these security practices protect organizations against other threats as well.
• Train employees to recognize and report phishing and other scams. These attempts could leverage via email, phone, social media, SMS (text), or other messaging applications.
• Conduct regular vulnerability scans, particularly of Internet-facing infrastructure. Ensure that devices and applications are centrally managed, are installed from known-good media, and are regularly patched.
• Use multi-factor authentication where possible. Requiring additional authentication elements makes it difficult for threat actors to gain access using stolen user credentials.
• Implement endpoint and network monitoring controls to detect malicious activity. Focus on detecting and investigating unusual activity from weaponized files, such as launching PowerShell, WMI, WScript, or unusual network communications.
• Where possible, require users to connect through corporate resources such as virtual private networks (VPNs) and DNS servers to access the Internet. This approach provides additional monitoring opportunities if user endpoints are compromised.
• Consider the organization’s security requirements when selecting a remote conferencing tool and vendor to ensure that the tool allows for an appropriate level of protection for conversations and data.
• Issue guidance to employees regarding proper use of remote conferencing services. Use passcodes or other authentication features, and do not publicly disclose meeting IDs where possible.
• Review incident response plans to ensure that remain appropriate for the modified work environment. Consider how to test those plans without adding unnecessary stress to the organization.
• Select a full-service threat intelligence provider, or several complementary ones, that offers coverage to support the organization’s threat model and that reduces the potential of internal security teams spending their time chasing false leads.