The topic of coronavirus today has flooded all the news feeds, and has also become the main leitmotif for various activities of cybercriminals exploiting the topic of COVID-19 and everything connected with it. In this note, I would like to draw attention to some examples of such malicious activity, which, of course, is not a secret for many information security specialists, but the reduction of which in one note will make it easier to prepare your own events to raise awareness among employees, some of whom work remotely and still more susceptible to various cybersecurity threats than before.
A minute of care from a UFO
The world has officially declared a pandemic of COVID-19, a potentially severe acute respiratory infection caused by the SARS-CoV-2 coronavirus (2019-nCoV). There is a lot of information on this topic on Habré - always remember that it can be both reliable / useful, and vice versa.
We encourage you to be critical of any published information.
Official sources
- Sites and official groups of operational headquarters in the regions
If you do not live in Russia, please refer to similar sites in your country.
Wash your hands, take care of your loved ones, stay at home if possible and work remotely.Read publications about: |
It should be noted that there are no completely new threats associated with coronavirus today. Rather, we are talking about attack vectors that have already become traditional, simply used under a new “sauce”. So, I would name the key types of threats:
- phishing sites and mailings on the topic of coronavirus and related malicious code
- Fraud and misinformation to exploit fear or misinformation about COVID-19
- attacks against organizations involved in coronavirus research
In Russia, where citizens traditionally distrust the authorities and believe that they are hiding the truth from them, the likelihood of successfully “promoting” phishing sites and mailing lists, as well as fraudulent resources, is much higher than in countries with more open authorities. Although today no one can consider himself absolutely protected from creative cyber-scammers who use all the classic human weaknesses of a person - fear, compassion, greed, etc.
Take, for example, a scam site selling medical masks.
A related site, CoronavirusMedicalkit[.]com, was shut down by US authorities for distributing a non-existent COVID-19 vaccine for free, paying "only" the postage to ship the drug. In this case, at such a low price, the calculation was on the rush demand for the drug in the face of panic in the United States.
This is not a classic cyber threat, since the task of attackers in this case is not to infect users and not to steal their personal data or identification information, but simply on the wave of fear to force them to fork out and buy medical masks at inflated prices by 5-10-30 times exceeding the real value. But the very idea of creating a fake website exploiting the theme of the coronavirus is quite applicable to cybercriminals as well. For example, here is a site that has the keyword “covid19” in its name, but which is also a phishing site.
In general, monitoring our incident investigation service on a daily basis , you see how many domains are being created with the words covid, covid19, coronavirus, etc. in their names. And many of them are malicious.
In an environment where part of the company's employees are transferred to work from home and they are not protected by corporate protection tools, it is more important than ever to monitor the resources accessed from mobile and stationary devices of employees, consciously or without their knowledge. If you are not using the service to detect and block such domains (and Cisco now a free connection to this service), then at a minimum configure your Web access monitoring solutions to control domains with the appropriate keywords. At the same time, remember that the traditional approach to blacklisting domains, as well as using reputation databases, can fail, since malicious domains are created very quickly and are used in just 1-2 attacks for no longer than a few hours, after which the attackers switch to new ones. one-day domains. Information security companies simply do not have time to quickly update their knowledge bases and distribute them to all their customers.
Attackers continue to actively exploit the email channel to distribute phishing links and malware in attachments. And their effectiveness is quite high, since users, while receiving completely legal news mailings about the coronavirus, cannot always recognize something malicious in their volume. And while the number of infected people is only growing, the range of such threats will also only grow.
For example, here is an example of a phishing campaign on behalf of the Centers for Disease Control and Prevention (CDC):
Clicking on the link, of course, does not lead to the CDC website, but to a fake page that steals the victim's login and password:
And here is an example of a phishing email purporting to be from the World Health Organization:
And in this example, attackers are counting on the fact that many people believe that the authorities are hiding the true extent of the infection from them, and therefore users are happy and almost without hesitation to click on these types of letters with malicious links or attachments that supposedly will reveal all the secrets.
By the way, there is a site , which allows you to track various indicators, such as mortality, the number of smokers, the population in different countries, etc. There is also a page on the website dedicated to the coronavirus. And when I went to it on March 16th, I saw a page that for a moment made me doubt that the authorities were telling us the truth (I don’t know what the reason for such numbers is, perhaps just a mistake):
One of the popular infrastructures that attackers use to send similar emails is Emotet, one of the most dangerous and popular threats of recent times. Word documents attached to email messages contain Emotet downloaders that download new malicious modules to the victim's computer. Initially, Emotet was used to promote links to scam sites selling medical masks and targeted people in Japan. Below you can see the result of analyzing a malicious file using a sandbox. , which analyzes files for malware.
But attackers exploit not only the ability to run in MS Word, but also in other Microsoft applications, for example, in MS Excel (this is how the APT36 hacker group acted), sending recommendations on combating coronavirus from the Government of India containing Crimson RAT:
Another malicious campaign exploiting the theme of the coronavirus is Nanocore RAT, which allows you to install programs on victim computers for remote access, intercepting keystrokes, capturing screen images, accessing files, etc.
And Nanocore RAT is usually delivered by e-mail. For example, below you see an example mail message with an attached ZIP archive that contains an executable PIF file. By clicking on the executable file, the victim installs the Remote Access Tool (RAT) on his computer.
And here is another example of a campaign parasitic on the topic of COVID-19. The user receives an email claiming a delivery delay due to the coronavirus with an attached invoice with a .pdf.ace extension. Inside the compressed archive is executable content that establishes a connection with the command and control server to receive additional commands and perform other goals of the attackers.
Parallax RAT has similar functionality, which distributes a file named “new infected CORONAVIRUS sky 03.02.2020.pif” and which installs a malicious program that interacts with its command and control server via the DNS protocol. To combat such remote access programs, EDR class protection tools will help, an example of which is , and either NGFW (for example, ), or DNS monitoring tools (for example, ).
In the example below, remote access malware was installed on the computer of a victim who, for some unknown reason, bought an advertisement saying that a regular antivirus program installed on a PC can protect against real COVID-19. And after all, someone fell for such a seemingly joke.
But among malicious programs there are also really strange things. For example, joke files that emulate the work of ransomware. In one case, our Cisco Talos division a file named CoronaVirus.exe that blocked the screen during execution and started a timer and the inscription "delete all files and folders on this computer - coronavirus."
At the end of the countdown, the button at the bottom became active and when it was pressed, the following message was displayed, saying that it was all a joke and that you should press Alt + F12 to end the program.
The fight against malicious mailings can be automated, for example, using , which allows you to detect not only malicious content in attachments, but also track phishing links and clicks on them. But even in this case, you should not forget about user training and regular phishing simulations and cyber exercises that will prepare users for various tricks of attackers directed against your users. Especially if they work remotely and through their personal mail, malicious code can also penetrate a corporate or departmental network. Here I could recommend a new solution , which allows not only to conduct micro- and nano-training of personnel on information security issues, but also to organize phishing simulations for them.
But if for some reason you are not ready to use such solutions, then you should at least organize regular mailings to your employees with a reminder of the phishing danger, its examples and a list of safe behavior rules (the main thing is that attackers do not disguise themselves as them ). By the way, one of the possible risks at present is phishing mailings disguised as letters from your management, which allegedly talk about new rules and procedures for remote work, mandatory software that needs to be installed on remote computers, etc. And do not forget that in addition to email, cybercriminals can use instant messengers and social networks.
In this kind of mailing list or awareness program, you can include the already classic example of a fake coronavirus infection map, which was similar to the one Johns Hopkins University. honors was that when accessing a phishing site, malware was installed on the user's computer, which stole user account information and sent it to cybercriminals. A variant of such a program also created RDP connections for remote access to the victim's computer.
By the way, about RDP. This is another vector for attacks that attackers are starting to use more actively during the coronavirus pandemic. Many companies, when switching to remote work, use services such as RDP, which, if they are incorrectly configured due to haste, can lead to intruders penetrating both remote user computers and inside the corporate infrastructure. Moreover, even with the correct configuration, various RDP implementations may have vulnerabilities exploited by attackers. For example, Cisco Talos multiple vulnerabilities in FreeRDP, and in May last year, a critical vulnerability CVE-2019-0708 was discovered in the Miscrosoft Remote Desktop Service, which allowed arbitrary code to be executed on the victim’s computer, malware, etc. A bulletin about her even distributed , and, for example, Cisco Talos recommendations for protection against it.
There is another example of the exploitation of the topic of coronavirus - a real threat of infection of the victim's family in case of refusal to pay the ransom in bitcoins. To enhance the effect, to give the letter significance and create a sense of the omnipotence of the extortionist, the password of the victim from one of his accounts obtained from public databases of logins and passwords was inserted into the text of the letter.
In one of the examples above, I showed a phishing message from the World Health Organization. And here is another example in which users are asked for financial assistance to fight COVID-19 (although in the header in the body of the letter, a mistake in the word “DONATION” immediately catches the eye. And they ask for help in bitcoins to protect against cryptocurrency tracking.
And there are many such examples that exploit the compassion of users today:
Bitcoin is related to COVID-19 in another way. For example, this is how the mailings received by many British citizens who sit at home and cannot earn money look like (in Russia, this will also become relevant now).
Masquerading as well-known newspapers and news sites, these mailing lists offer an easy way to earn money by mining cryptocurrencies on special sites. In fact, after some time you get a message that the amount you earned can be withdrawn to a special account, but you need to transfer a small amount of taxes before that. It is clear that having received this money, the scammers do not transfer anything in response, and the gullible user loses the transferred money.
There is another threat associated with the World Health Organization. Hackers hacked into the DNS settings of D-Link and Linksys routers, commonly used by home users and small businesses, to redirect them to a fake site with a pop-up warning to install the WHO app to stay up to date on the latest news about the coronavirus. At the same time, the application itself contained the Oski malware that steals information.
A similar idea to an app containing up-to-date status on COVID-19 infection is exploited by the CovidLock Android Trojan, which spreads through an app that is allegedly “certified” by the US Department of Education, WHO, and the Centers for Disease Control and Prevention (CDC).
Many users today are in self-isolation and, not wanting or not knowing how to cook, are actively using food delivery services, groceries or other goods, such as toilet paper. Attackers have mastered this vector for their own purposes. For example, this is how a malicious site looks like a legitimate resource owned by Canada Post. The link from the SMS received by the victim leads to a website that informs that the ordered goods cannot be delivered, as only 3 dollars are missing, which must be paid extra. In this case, the user is directed to a page where they must specify the details of their credit card ... with all the ensuing consequences.
In conclusion, I would like to give two more examples of cyber threats related to COVID-19. For example, the plugins "COVID-19 Coronavirus - Live Map WordPress Plugin", "Coronavirus Spread Prediction Graphs" or "Covid-19" are embedded in sites on the popular WordPress engine and, along with displaying the coronavirus distribution map, also contain the WP-VCD malware. And Zoom, which has become very, very popular in the wake of the growth in the number of online events, has encountered what experts have called “Zoombombing”. Attackers, but in fact ordinary porn trolls, connected to online chats and online meetings and showed various obscene videos. By the way, a similar threat is encountered today by Russian companies.
I think most of us regularly check various resources, both official and not so, telling about the current status of the pandemic. Attackers are exploiting this topic by offering us the “up-to-date” information about the coronavirus, including information “that the authorities are hiding from you.” But even ordinary ordinary users have recently often helped attackers by sending out verified facts from "acquaintances" and "friends". Psychologists say that such activity of “alarmist” users who send out everything that falls into their field of vision (especially in social networks and instant messengers that do not have mechanisms for protecting against such threats) allows them to feel involved in the fight against a global threat and , even feel like heroes saving the world from the coronavirus. But, unfortunately, the lack of special knowledge leads to the fact that these good intentions "lead everyone to hell", creating new threats to cybersecurity and increasing the number of victims.
In fact, I could go on and on with examples of cyberthreats related to the coronavirus; especially since cybercriminals do not stand still and come up with more and more new ways to exploit human passions. But I think we can stop there. The picture is already clear and it tells us that in the near future the situation will only worsen. Yesterday, the Moscow authorities transferred the city with a population of ten million to self-isolation. The authorities of the Moscow region and many other regions of Russia, as well as our closest neighbors in the former post-Soviet space, did the same. This means that the number of potential victims on whom the efforts of cybercriminals will be directed will increase many times over. Therefore, it is worth not only revising your security strategy, until recently focused on protecting only a corporate or departmental network, and assessing what protection tools you lack, but also take these examples into account in your staff awareness program, which is becoming an important part of the information security system for remote workers. A ready to help you with it!
PS. In preparing this material, materials from Cisco Talos, Naked Security, Anti-Phishing, Malwarebytes Lab, ZoneAlarm, Reason Security and RiskIQ, the US Department of Justice, Bleeping Computer, SecurityAffairs, etc. P.
Source: habr.com