Print

Print


The following information was sent by the US Department of Homeland Security:

This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC).

APT groups are using the COVID-19 pandemic as part of their cyber operations. These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and "hack-and-leak" operations.

Cybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.

Both APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include:

  *   Phishing, using the subject of coronavirus or COVID-19 as a lure,
  *   Malware distribution, using coronavirus- or COVID-19- themed lures,
  *   Registration of new domain names containing wording related to coronavirus or COVID-19, and
  *   Attacks against newly-and often rapidly-deployed remote access and teleworking infrastructure.

Malicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:

  *   Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware.
     *   For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install "CovidLock" ransomware on their device.[1]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.techrepublic.com_article_covidlock-2Dransomware-2Dexploits-2Dcoronavirus-2Dwith-2Dmalicious-2Dandroid-2Dapp_&d=DwIFAg&c=Cu5g146wZdoqVuKpTNsYHeFX_rg6kWhlkLF8Eft-wwo&r=NxZ9eQo8LgPJqblVfgubCupNZk1FzZdvcchCEHvKASs&m=YPo24jU9IXwEgIeyCux90AtiwEhfFkSKQPaM014sq6g&s=8ZEV7T7wK0Ww44wwNdCfnV4ejPkQCbiPJVLjhvoFOZY&e= >

  *   Open a file (such as an email attachment) that contains malware.
     *   For example, email subject lines contain COVID-19-related phrases such as "Coronavirus Update" or "2019-nCov: Coronavirus outbreak in your city (Emergency)"

To create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with "Dr." in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization's human resources (HR) department and advise the employee to open the attachment.

Malicious file attachments containing malware payloads may be named with coronavirus- or COVID-19-related themes, such as "President discusses budget savings due to coronavirus with Cabinet.rtf."

For more information on the specific attacks seen and to be on the lookout for these attacks, visit the US Cert government site.  The link directly to the bulletin is at the address below (change hxxps to https, [dot] to . when copying or typing the URL in your browser):

hxxps://www[dot]us-cert[dot]gov/ncas/alerts/aa20-099a

If you receive a suspicious email and think it might be a phish - raise the alarm.  Click the REPORT PHISH button in your Outlook client.  Thanks and be well,

Cheryl

Cheryl O'Dell, MBA, CISSP, GCFE
Incident Response Manager
Cybersecurity & Identity|ITS|
501 127H, 68588-0203
University of Nebraska |nebraska.edu
Kearney|Lincoln|Omaha
402-472-7851 (o)