The FBI, which has been asking for extreme vigilance around phishing incursions with a COVID-19 dimension, have given-out ‘indicators of compromise’ & ‘hashes’ to help in this worthy fight.
Phishing Scams
Employees across a wide range of sectors have seen increasing numbers of COVID-19 themed phishing scams. Attackers follow trends in the news in order to capitalise on fear, as a pivotal technique of their phishing campaigns.
However, this week, the Federal Bureau of Investigation (FBI) gave administrators a much better description of what to look for. Tue., the FBI issued a ‘Flash Alert’ giving technical details of the phishing attacks that they have been detected to date, & some ‘Indicators of Compromise’ (IOCs) & ‘Hashes’ connected to current campaigns to assist network defenders.
Flash Alert
This ‘Flash Alert’ lists phishing attacks on healthcare. US-based medical providers in particular – that have used Microsoft Word document files, 7-zip compressed files, Microsoft Visual Basic Script, Java, & Microsoft Executables as attachments.
While the FBI observes that it isn’t certain of the capabilities of the malicious extensions, like the bulk of malicious attachments, it believes they’d be used to make an ‘intrusion vector’, which is something that could lead to system exploitation, persistence, & data exfiltration.
Business Contingency Alert
Many of these phishing campaigns have subject lines that are designed to gain the user’s attention, such as “Information about COVID-19 in the United States,” “Business contingency alert – COVID-19” and “World Health Organization/Let’s fight Corona Virus together.”
Mitigate
FBI’s techniques to mitigate these attacks are in line with accepted recommendations to prevent phishing attacks.
The FBI asks employees, if they are not already, to follow these simple rules:
- Be wary of unsolicited attachments, even from people you know. Cyber actors can “spoof” the return address, making it look like the message came from a trusted associate.
- Keep software up to date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities.
- If an email of email attachment seems suspicious, do not open it, even if your antivirus software indicates that the message is clean. Attackers are constantly releasing new viruses, & the antivirus software might not have the signature.
- Save and scan any attachments before opening them.
- Turn off the option to automatically download attachments. To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option & disable it.
- Consider creating separate accounts on your computer. Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need “administrator” privileges to infect a computer.
- Apply additional security practices. You may be able to filter certain types of attachments through your email software or a firewall.
That bad players are changing their tactics to tie-in with a theme like COVID-19 is not new, but the fact that COVID-19 is a global pandemic, & on practically everyone’s minds has definitely moved their nasty campaigns up a gear.
Google recently observed that its systems found 18 million malware & phishing messages a day linked to COVID-19. Also, there were over 240 million COVID-themed spam messages.
Though some campaigns impersonate health organisations, as the FBI mentioned, many international & national health organisations themselves have become targets says Google.
World Health Organisation’s (WHO)
A particular attack seems to use a domain that mimics the World Health Organisation’s (WHO) login page. This development in phishing attacks link-back to a change in tactics, but not actually an overall growth of the number of attacks, Shane Huntley, from Google’s Threat Analysis Group outlined this week.
Charming Kittens & Packrats
Phishing attacks have also come via hackers linked to Iran, in particular a group named ‘Charming Kitten’ and a South American threat actor, mentioned in a 2015 Citizen Lab report as ‘Packrat’.
Healthcare organisations must do their upmost to maintain healthy IT operations too!