Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

After Adopting COVID-19 Lures, Sophisticated Groups Target Remote Workers

While coronavirus-themed emails and files have been used as a lure for weeks, attackers now are searching for ways to actively target VPNs and remote workers to take advantage of weaker security.

Since February, a variety of advanced cybercriminals have adopted themes around the evolving coronavirus pandemic in attempts to convince targeted users to click on phishing links or install malware. Now attackers are actively attempting to take advantage of the vulnerable infrastructure exposed by the massive number of employees working from home, security experts and government agencies warned this week.

In a single 24-hour period, Microsoft detected a massive phishing campaign using 2,300 different Web pages attached to messages and disguised as COVID-19 financial compensation information that actually lead to a fake Office 365 sign-in page to capture credentials, the company stated in a blog post published today. Cybercriminals are also actively discussing the collaboration platforms, virtual private networks (VPNs), and systems currently used by companies for remote work, threat-intelligence platform IntSights stated in an advisory published Tuesday. 

"The biggest change is not the type of attacks but the situation where you have the majority of the workforce working from home," says Etay Maor, chief security officer for IntSights. "Workers are making some basic security hygiene mistakes, and the threat actors have been made aware of this — these issues are constantly being discussed, and the criminals are very agile to adapting to new situations."

Coronavirus themes have become the favored approach for many cybercriminals to trick users into falling prey to the latest attacks, and advanced groups often use the approach as well. Chinese, Russian, and North Korean cyber-espionage groups have all adopted pandemic-themed lures for phishing attacks and targeted efforts. Now the Maze cybercriminal group, the Pakistan-linked APT36, and the financial-focused FIN7 group have adopted the techniques as well.

A joint advisory issued today by US and UK cyber defense agencies warned that activity by advanced persistent threat (APT) groups has risen significantly.

"APT groups are using the COVID-19 pandemic as part of their cyber operations," the advisory stated. "These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and 'hack-and-leak' operations."

The overall volume of attacks is not necessarily growing, but various groups are switching to COVID-19 themes to convince concerned end users to click on links, install malware, or fall for fraud, said Rob Lefferts, corporate vice president for Microsoft 365 Security, in a blog post today. These attacks, however, account for less than 2% of all attacks seen by Microsoft on a daily basis, he stated.

"Attackers don't suddenly have more resources they're diverting towards tricking users; instead they're pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click," Lefferts wrote, adding, "the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear."

Of particular worry for security teams and national cybersecurity agencies is the mass move to remote work. The Cyber Infrastructure Security Agency (CISA), for example, has seen increased scanning for vulnerabilities in Citrix's Application Delivery Controller and Gateway products. 

"Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking," CISA said in its advisory. "Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software."

In March, security firm Malwarebytes published research demonstrating that the Pakistan-linked APT36 had begun using COVID-19 themes for spear-phishing and watering hole attacks. The group, which conducts cyber espionage against Indian political and diplomatic targets, attempted to fake health advisory documents to drop a remote-access tool known as CrimsonRAT.

The current targets continue to be "based on the threat actors' intents and motivations and usually is aligned with their past campaigns," stated the Malwarebytes Threat Intelligence Team in response to questions from Dark Reading. "For example, Kimsuky is a group that has been known to target South Korean users and this is visible in their COVID-19 campaign customized for this particular demographic."

Microsoft has taken a proactive approach to finding vulnerable networks that could be targeted by nation-state and cybercriminal groups, especially those belonging to healthcare firms, and helping them close the gaps.

In a blog published at the beginning of April, the company said sophisticated cybercriminal groups had targeted several dozens of hospitals, so Microsoft identified those organizations that had vulnerable gateway and VPN appliances in their infrastructure. 
 
"To help these hospitals, many already inundated with patients, we sent out a ... targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others," Microsoft stated.

Related Content:

A listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Soothing Security Products We Wish Existed."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4177
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732.
CVE-2020-4180
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.
CVE-2020-4182
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
CVE-2020-4187
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174805.
CVE-2020-4190
PUBLISHED: 2020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.