By Ryan Olson
When people ask me what Unit 42 does, the most concise answer I can normally give is “we research bad guys doing bad things.” With the onset of the COVID-19 pandemic spreading around the world, many of us have had to adapt our lives to accommodate the new reality. Bad guys are no different. They’ve also adapted and are taking advantage of this pandemic to launch cyber attacks.
The biggest opportunity for cyber attackers with this outbreak has nothing to do with technology, but with how humans change their behavior and patterns in response to the crisis.
The purpose of this report is not to contribute to the fear and anxiety many of us are already experiencing, but to help you be informed about what is happening and how to protect yourself and your organization. We will update this blog as new information comes to light.
Phishing/Malware Distribution using COVID-19 Themes
As with other high-profile events, attackers are taking advantage of the high amount of attention paid to COVID-19 to lure victims into opening attachments on malicious emails and click on phishing links. This is not a single attack or event campaign, but widespread use of virus-related themes. We’ve identified malicious emails using subjects containing COVID-19 and related keywords carrying Remote Administration Tools (RATs) like NetWire, NanoCore, and LokiBot, as well as other malware.
• CORONAVIRUS (COVID-19) UPDATE // BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MARCH 2020.
• Latest corona-virus updates
• UNICEF COVID-19 TIPS APP
• POEA HEALTH ADVISORY re-2020 Novel Corona Virus.
• WARNING! CORONA VIRUS
Example file attachment names include:
• AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe
• Coronavirus COVID-19 upadte.xlsx
• CORONA VIRUS1.uue
• CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm
• covid19.ZIP
Neither of these lists is exhaustive and new variants on these themes will quickly emerge. Expect these to continue in the coming weeks and months. As the news evolves, the attackers will adapt. We simultaneously see the same attacks using common themes related to tax filing, invoices, and shipping orders.
Fake applications
As people seek out information about COVID-19, how it is impacting them, and how they can stay safe, many are looking to their smartphone for help. There have already been multiple cases reported of malicious Android applications that claim to offer information about the virus. These allow the attacker to spy on you through your devices, or encrypt your device and hold it for ransom.
As always, Android users should not install applications from untrusted sources (stick to the Google Play store) and iPhone users should not jailbreak their phones and install apps from third-party sources (stick to the App Store).
COVID-19 Themed Domain Names
In the past few weeks, thousands (in fact over 100,000) of domains have been registered containing terms like “covid,” “virus”, and “corona.” Not all of these will be malicious, but all of them should be treated as suspect. Whether they claim to have information, a testing kit, or a cure, the fact that the website didn’t exist until the pandemic became news should make you very skeptical of their validity.
How we are protecting you
In general, the best practices we recommend are still the right way to keep your organization and your network protected from these threats. Our products and services are just as capable at preventing threats using COVID-19 related themes as they are for other messages that track users into clicking links and opening attachments. Consider taking the following actions to ensure you are taking advantage of our protection:
• Run a Best Practice Assessment to identify where your configuration could be altered to improve your security posture.
• Use PAN-DB URL Filtering to block the “Newly-Registered Domains”, which contains domains registered in the last 32 days. While these may not all be malicious, it could prevent your users from succumbing to scams.
(The author is the Vice President, Threat Intelligence (Unit 42) – Palo Alto Networks)