As the Coronavirus pandemic progresses, a rise in malicious activity has been detected leveraging new trends of threat vectors, including targeting of remote authentication systems and remote users. Ascend Technologies is actively monitoring ongoing developments and taking precautions to minimize risk to our client environments as active business continuity plans are in effect.
Malware Domain Activity
- Malicious traffic has been observed on several domains created using the words “corona” or “covid19” attempting to access registry settings on endpoints with an Intention of stealing credentials stored in browsers
- A domain was found to distribute a fake Coronavirus outbreak tracker app, which upon installation, the application locks the screen of the device and shows a ransom note claiming that the phone has been encrypted and coercing victims to pay $100 in Bitcoin within 48 hours
What we’re doing about it:
- Turning on proactive block rules on firewall, proxy devices, and other in-line security tools to stop communication to these domains
- Our ServiceDesk resources are resetting passwords for users who have visited such domains
Recommendations:
- When seeking Information about Coronavirus, only visit trusted websites
Phishing Activity
- Multiple email campaigns have been detected impersonating official organizations containing malicious attachments with links to infected sites
- Legitimate-looking emails containing embedded links/attachments from typo-squat variants of official domain names
What we’re doing about it:
- We are increasing tracking of all activity to newly created or rare domains
Recommendations:
- Be wary of emails about Coronavirus, especially if they come from outside your organization
- Do not open emails that appear to come from UN, WHO, CDC, FDA, etc. unless your organization is in the healthcare field
Remote VPN Activity
- Attackers have also started impersonating users based on information found on LinkedIn and other social media platforms to trick support teams into allowing “one-time passcodes”
- Increased volume of MFA enrollment requests from unusual locations
What we’re doing about it:
- Enabling enhanced logging to identify behavior anomalies with geo-location information associated to user accounts as well as the devices where accounts are seen accessing the network
Recommendations:
- Be alert for potential vulnerabilities in remote access tools
- Ensure that remote access mechanisms require MFA
User Account Misuse Activity
- User authentications from multiple different countries
- Increased use of custom IM and teleconferencing applications installed by employees
- “Shadow IT” remote access tools installed by employees
What we’re doing about it:
- We are revising device management policies to maintain consistent security standards
- Watching for new attack types that may originate from user’s home environments
Recommendations:
- Watch for “shadow IT” tools users may install without proper security considerations
Consumer Scams
- Companies advertising remedies and treatment of COVID-19
- Fake charities or hospitals requesting donations
- Fraudulent calls and text messages impersonating banks with COVID-19 relief checks
What we’re doing about it:
- Continued assessment of government consumer protection agencies and of community-based threat intelligence
Recommendations:
- Use anti-phishing toolbar to warn of scam websites (Safari, Chrome, Firefox)
Data Risks of a Remote Workforce
- Overtaxed IT staff focusing on workforce deployment, not security
- Anxious or distracted employees can make bad decisions
- Data loss through employees taking information home
What we’re doing about it:
- Reviewing and updating incident response plans to ensure security incidents can be addressed and responded to with a remote workforce
- Conducting exercises to simulate an incident where multiple members of IR team are unavailable or working remotely
Recommendations:
- Do not share personal or financially sensitive information over the Internet
- Ensure anti-virus tools leveraging endpoint detection and response (EDR) are installed on all endpoints
Written by Kris Hurtado