🚊 👩🏼‍💻 🈳 Exploitation of the theme of coronavirus in IS threats 👆🏽 ⛄️ ↖️

The theme of the coronavirus today has filled all the news feeds, and has also become the main leitmotif for the various activities of cybercriminals exploiting the theme of COVID-19 and everything connected with it. In this note, I would like to draw attention to some examples of such malicious activity, which, of course, is not a secret for many information security experts, but the reduction of which in one note will facilitate the preparation of their own awareness-raising activities for employees, some of which work remotely and more susceptible to various threats of information security than before.

UFO Care Minute

The pandemic COVID-19, a potentially severe acute respiratory infection caused by the SARS-CoV-2 coronavirus (2019-nCoV), has officially been announced in the world. There is a lot of information on Habré on this topic - always remember that it can be both reliable / useful, and vice versa.

We urge you to be critical of any published information.

Official sources
Website of the Ministry of Health of the Russian Federation
Rospotrebnadzor website
WHO website
WHO website
Sites and official groups of operational headquarters in the regions

If you do not live in Russia, refer to similar sites in your country.

Wash your hands, take care of your loved ones, stay at home whenever possible and work remotely.

Read publications about: coronavirus | remote work

It should be noted that there are no completely new threats associated with coronavirus today. Rather, we are talking about already-traditional attack vectors, just used with a new “sauce”. So, the key types of threats I would call:

coronavirus phishing sites and mailings and related malicious code
fraud and misinformation aimed at exploiting fear or incomplete information about COVID-19
attacks against coronavirus research organizations

In Russia, where citizens traditionally do not trust the authorities and believe that they are hiding the truth from them, the likelihood of successful “promotion” of phishing sites and newsletters, as well as fraudulent resources, is much higher than in countries with more open authorities. Although today no one can consider himself absolutely protected from creatively minded cyber fraudsters who use all the classic human human weaknesses - fear, compassion, greed, etc.

Take, for example, a scam site selling medical masks.

A similar site, CoronavirusMedicalkit [.] Com, was closed by US authorities for free distribution of a non-existent vaccine against COVID-19 with payment of "only" postage for sending the medicine. In this case, at such a low price, the calculation was on the rush demand for medicine in the midst of panic in the United States.

This is not a classic cyber threat, since the task of the attackers in this case is not to infect users and not to steal their personal data or identification information, but just in the wake of fear to make them fork out and buy medical masks at inflated prices 5-10-30 times exceeding the real value. But the very idea of creating a fake website that exploits the theme of coronavirus is also used by cybercriminals. For example, here is a site whose name contains the keyword "covid19", but which is phishing.

In general, monitoring our Cisco Umbrella Investigate incident investigation service daily, you see how many domains are being created whose names contain the words covid, covid19, coronavirus, etc. And many of them are malicious.

In the conditions when a part of the company’s employees is transferred to work from home and they are not protected by corporate remedies, it is more important than ever to monitor the resources accessed from mobile and stationary devices of employees, either consciously or without their knowledge. If you do not use the Cisco Umbrella service to detect and block such domains (and Cisco offersnow free connection to this service), then at least configure your Web access monitoring solutions to domain control with the corresponding keywords. At the same time, remember that the traditional approach of blacklisting domains, as well as using reputation databases, can fail, as malicious domains are created very quickly and are used in only 1-2 attacks for no longer than several hours, then the attackers switch to new ones one-day domains. Information security companies simply do not have time to quickly update their knowledge bases and distribute them to all their customers.

Attackers continue to actively exploit the email channel to distribute phishing links and malware in attachments. And their effectiveness is quite high, since users, receiving quite legitimate newsletters about coronavirus, may not always recognize something harmful in their volume. And while the number of infected people is only growing, the spectrum of such threats will also only grow.

For example, here's an example of a phishing email on behalf of the Epidemic Control Center (CDC):

Clicking the link of course leads not to the CDC website, but to a fake page that steals the victim’s username and password:

Here’s an example of a phishing email supposedly on behalf of World Health Organization:

And in this example, the attackers rely on the fact that many people believe that the authorities are hiding the true extent of the infection from them, and therefore users gladly and almost without hesitation click on such letters with malicious links or attachments that supposedly reveal all the secrets.

By the way, there is such a Worldometers website that allows you to track various indicators, for example, mortality, number of smokers, population in different countries, etc. There is also a page on the site dedicated to coronavirus. And so, when I visited it on March 16th, I saw a page that made me doubt for a moment that the authorities were telling us the truth (I don’t know what the reason for such numbers is, perhaps, just a mistake):

One of the popular infrastructures that cybercriminals use to send similar emails is Emotet, one of the most dangerous and popular threats of recent times. Word documents embedded in e-mail messages contain Emotet downloaders, which load new malicious modules onto the victim’s computer. Initially, Emotet was used to promote links to fraudulent sites selling medical masks, and was aimed at residents of Japan. Below you see the result of the malware file analysis using the Cisco Threat Grid sandbox , which analyzes files for malware.

But the attackers exploit not only the ability to run in MS Word, but also in other Microsoft applications, for example, in MS Excel (the hacker group APT36 acted like this), sending out recommendations on combating coronavirus from the Government of India, containing Crimson RAT:

Another malicious campaign that exploits the theme of coronavirus is Nanocore RAT, which allows you to install programs for remote access on victim computers that intercept keystrokes, capture screen images, access files, etc.

And Nanocore RAT is usually delivered by e-mail. For example, below you see an example of a mail message with an attached ZIP archive that contains an executable PIF file. By clicking on the executable file, the victim installs the Remote Access Tool (RAT) on her computer.

Here is another example of a campaign parasitic on the theme of COVID-19. The user receives a letter about the alleged delay in delivery due to the coronavirus with an attached account with the extension .pdf.ace. Inside the compressed archive is executable content that establishes a connection to the command server to receive additional commands and fulfill other goals of the attackers.

Parallax RAT has a similar functionality, which distributes a file with the name “new infected CORONAVIRUS sky 02/03/2020.pif” and which installs a malicious program that interacts with its command server via the DNS protocol. EDR-class security tools, such as Cisco AMP for Endpoints , will help fight such remote access programs , and NGFW (for example, Cisco Firepower ) or DNS monitoring tools (for example, Cisco Umbrella ) can help monitor communications with command servers .

In the example below, the remote access malware was installed on the victim’s computer, which for some unknown reason was bought by an advertisement stating that a regular anti-virus program installed on a PC can protect against real COVID-19. And after all, someone was led to such a seemingly joke.

But among the malicious programs there are also really strange things. For example, joke files that emulate the work of encryptors. In one case, our Cisco Talos division discovered a file called CoronaVirus.exe that locks the screen at runtime and starts a timer and the message “delete all files and folders on this computer is coronavirus”.

At the end of the countdown, the button at the bottom became active and when it was pressed, the following message was displayed saying that all this was a joke and Alt + F12 should be pressed to end the program.

Anti-malware campaigns can be automated, for example, using Cisco E-mail Security, which allows you to detect not only malicious content in attachments, but also track phishing links and clicks on them. But even in this case, do not forget about user training and the regular conduct of phishing simulations and cyber attacks that will prepare users for various tricks of cybercriminals against your users. Especially if they work remotely and through their personal mail, malicious code can penetrate the corporate or departmental network. Here I could recommend the new Cisco Security Awareness Tool solution , which allows not only conducting micro- and nano-training of personnel on information security issues, but also organizing phishing simulations for them.

But if for some reason you are not ready to use such solutions, then you should at least organize regular mailing lists for your employees with a reminder of the phishing danger, its examples and a list of safe behavior rules (the main thing is that the attackers do not disguise themselves as ) By the way, one of the possible risks at the moment is phishing mailings, disguised as letters from your management, which allegedly talk about new rules and procedures for remote work, mandatory software that must be installed on remote computers, etc. And do not forget that in addition to email, cybercriminals can use instant messengers and social networks.

A mailing list or awareness-raising program could include the classic example of a fake coronavirus infection map that was similar to the one launched by Johns Hopkins University. The difference between the malicious card was that when accessing the phishing site, malware was installed on the user's computer, which stole user credentials and sent to cybercriminals. One of the varieties of such a program also created RDP connections for remote access to the victim's computer.

Speaking of RDP. This is another vector for attacks that attackers are beginning to use more actively during the coronavirus pandemic. When switching to remote work, many companies use services such as RDP, which, if they are incorrect due to the rush to configure, can lead to the penetration of cybercriminals both on the user's remote computers and inside the corporate infrastructure. Moreover, even with proper configuration, in various RDP implementations there may be vulnerabilities used by cybercriminals. For example, Cisco Talos discoveredmultiple vulnerabilities in FreeRDP, and the critical vulnerability CVE-2019-0708 was discovered in the Miscrosoft remote desktop service in May last year, which allowed arbitrary code to be executed on the victim’s computer, to introduce malware, etc. A newsletter about it was distributed even by the NCCA , and, for example, Cisco Talos published recommendations for protection against it.

There is another example of exploiting the theme of coronavirus - the real threat of infection of the victim’s family in case of refusal to pay the ransom in bitcoins. To enhance the effect, to give the letter significance and create a sense of omnipotence of the ransomware, the victim’s password from one of his accounts received from publicly available databases of logins and passwords was inserted into the text of the letter.

In one example above, I showed a phishing message from the World Health Organization. And here is another example in which users are asked for financial assistance to combat COVID-19 (although the error in the word “DONATIONTION” is immediately evident in the heading in the body of the letter. And they ask for help in bitcoins to protect against cryptocurrency tracking.

And such examples There are many users exploiting the compassion of users today:

Bitcoins are connected to COVID-19 in a different way, for example, this is how mailings received by many UK citizens who sit at home and cannot earn money look like (in Russia this will also become relevant now).

Disguising themselves as well-known newspapers and news sites, these newsletters offer easy money - mining cryptocurrencies on special sites. In fact, after some time you receive a message stating that the amount you earned can be withdrawn to a special account, but you need to transfer a small amount of taxes before that. It is clear that having received this money, scammers do not transfer anything in response, and a gullible user loses the money transferred.

There is another threat to the World Health Organization. Hackers cracked the DNS settings of D-Link and Linksys routers, often used by home users and small companies, in order to redirect them to a fake website with a pop-up warning about the need to install a WHO application, which will allow you to always be up to date with the latest news about coronavirus. At the same time, the application itself contained the harmful Oski program, stealing information.

A similar idea with the application containing the current COVID-19 infection status is also exploited by the CovidLock Android Trojan, distributed through the application, which is supposedly “certified” by the US Department of Education, WHO and the Epidemic Control and Dissemination Center (CDC).

Many users today are in isolation and, not wanting or not knowing how to cook, actively use the services of delivery of food, food or other goods, such as toilet paper. Attackers have mastered this vector for their own purposes. For example, this is how a malicious site looks like a legal resource belonging to Canada Post. The link from the SMS received by the victim leads to the website, which reports that the ordered goods cannot be delivered, since there is only 3 dollars missing, which must be paid. In this case, the user is directed to the page where you need to specify the details of your credit card ... with all the ensuing consequences.

In conclusion, I would like to give two more examples of cyber threats associated with COVID-19. For example, plugins "COVID-19 Coronavirus - Live Map WordPress Plugin", "Coronavirus Spread Prediction Graphs" or "Covid-19" are embedded into sites on the popular WordPress engine and, together with displaying the distribution map of the coronavirus, also contain the malicious program WP-VCD. And the company Zoom, which, in the wake of the growing number of online events, has become very, very popular with what experts have called “Zoombombing.” Attackers, and in fact ordinary porn trolls, connected to online chats and online meetings and showed various obscene videos. By the way, a similar threat is encountered today by Russian companies.

I think most of us regularly check various resources, both official and not very, telling about the current status of the pandemic. Attackers exploit this topic, offering us “the latest” information about the coronavirus, including information “that the authorities are hiding from you.” But even ordinary ordinary users recently often help attackers by sending verified facts from “acquaintances” and “friends”. Psychologists say that such activity of “alarmists” users who send out everything that falls into their field of vision (especially in social networks and messengers that do not have protection mechanisms against such threats) allows them to feel involved in the fight against the global threat and , even, feel like heroes saving the world from a coronavirus. But, unfortunately, the lack of specialized knowledge leads tothat these good intentions “lead everyone to hell”, creating new threats to cybersecurity and increasing the number of victims.

In fact, I could still continue the examples of cyberthreats associated with coronavirus; moreover, cybercriminals do not stand still and come up with more and more new ways of exploiting human passions. But I think you can stop there. The picture is already clear and it tells us that in the near future the situation will only worsen. Yesterday, Moscow authorities transferred the city with a population of ten million to self-isolation. The authorities of the Moscow Region and many other regions of Russia, as well as our closest neighbors in the former post-Soviet space, did the same. This means that the number of potential victims on whom the efforts of cybercriminals will be directed will increase many times. Therefore, it’s worth not only reviewing your security strategy, until recently focused on protecting only the corporate or departmental network, and evaluatewhat means of protection you are missing, but also consider the examples in your staff awareness program, which is becoming an important part of the information security system for remote workers. ANDCisco is ready to help you with this!

Threat. In preparing this material, we used materials from Cisco Talos, Naked Security, Antiphishing, Malwarebytes Lab, ZoneAlarm, Reason Security and RiskIQ, the US Department of Justice, Bleeping Computer, SecurityAffairs, etc. P.

Exploitation of the theme of coronavirus in IS threats

UFO Care Minute

We urge you to be critical of any published information.

More articles: