COVID-19: Staying Secure while Staying at Home

by | Apr 1, 2020

Large swathes of the workforce are navigating remote work for the first time as non-essential offices are mandated to close. While businesses quickly spin up the infrastructure to support their remote workers, cybercriminals are attempting to take advantage by exploiting VPN vulnerabilities, sowing disinformation, and sending out COVID-19-themed malware to trick victims.

Here are a few things to be aware of and how you and your organization can stay safe:

 

COVID-19-Themed Phishing Attacks 

Security Risk Advisors has observed over a dozen different COVID-19-themed phishing campaigns within the last month. Phishing campaigns attempt to convince users that a malicious email is legitimate by using urgent language and impersonating the user’s superior, coworker, or someone else they might want to connect with. Cybercriminals often include details about important work-, life-, or current events-related activities (ex. Tax season, Christmas bonuses, Political drama) to further entice users.

In the case of COVID-19, attackers are sending out emails with spoofed addresses that mimic health organizations or the organization of the victim. These emails claim to have important instructions for employees on how to conduct business during COVID-19; they may also claim to include reports and statistics from a health organization, with malicious attachments named similarly. Attackers also embed headlines and snippets from COVID-19 news stories into their malware to fool machine learning and artificial intelligence tools into thinking the user is clicking on legitimate information.

 

 

 

 

 

Several COVID-19 phishing emails observed by SRA

 

Security Risk Advisors recommends that users practice safe email security by:
  • Forwarding suspicious emails to your organization’s information security group or reaching out to the perceived sender via different communication (call, text, instant messaging). Your organization’s security team can identify and analyze suspicious emails, then take steps to block malicious activity to make sure you’re protected.
  • Hovering over the email sender and any links sent prior to responding or clicking anything. Cybercriminals will often obfuscate their identity and the links they send you with innocuous names.
  • Only opening attachments that you were expecting to receive. One of the most common ways attackers compromise a victim device is by convincing the victim to download an attachment and “enable macros”, which executes hidden code inside of the attachment.

 

Organizations can help users catch phishing emails by providing the following:
  • Publish a disaster communication plan within the organization that outlines a uniform source of information distribution. Make sure that employees are aware of and under the plan; if the information doesn’t come from that source but claims to be from the organization, users should assume it isn’t legitimate.
  • Enable banners on all external emails which notify users that an email did not originate from inside the organization
  • Create a group policy whitelist for those who specifically need to enable macros for their job. If an individual doesn’t need to enable macros, removing that capability reduces the ability of attackers to compromise their device in that way.
  • Keep machines patched and up-to-date in order to combat any new exploits used

 

 

COVID-19 Fake Programs

Since January 2020, over 100,000 domains with COVID-19 related terms were registered. Other phony programs have popped up in phishing campaigns, advertising, websites, comment sections, and even app stores. The malware utilized includes types of banking trojans, including Emotet and TrickBot, spyware variations, password stealers, and ransomware. Oftentimes, these websites and programs bundle their malware with legitimate COVID-19 materials—like the Johns Hopkins COVID-19 Global Cases tracker—or promotional deals to further convince victims that what they downloaded is legitimate. As a result, antivirus and other security tools might have a hard time detecting the malicious code prior to it executing, by which time it might already be too late.

Spyware that includes the JHU COVID-19 Tracker, Source: Reason Security

Legitimate COVID-19 Tracker, Source: Johns Hopkins

Security Risk Advisors recommends that users:
  • Only download attachments, applications, or access information, COVID-19 related or otherwise, from trusted sources.
  • Don’t remove/disable security protections or “jailbreak” your devices. Doing so will put you at greater risk of compromise.

 

Security Risk Advisors recommends that organizations:
  • Provide URL filtering via firewall configuration and DNS security to block newly-registered domains
  • Set up a device policy configuration to notify and or redirect users when they attempt to access a newly-registered or malicious domain.
  • Deploy an Endpoint Detection & Response (EDR) solution to give your organization real-time monitoring on individual devices, increasing the likelihood of detecting malicious activity.

 

Capitalizing Upon Remote Work

Large percentages of employees working from home amplifies the use of remote access, remote meeting, and file sharing tools. Even before COVID-19, attackers were exploiting popular remote access vulnerabilities to gain access to corporate environments. Now, they’re using the unfamiliarity of these tools to stage attacks that range from dangerous to the downright obscene.

Organizations must also contend with limitations in responses to abuse; it’s no longer feasible to cut off or throttle remote connections. Moreover, the uptick in traffic means that security teams may be overwhelmed by new data and have a harder time finding signal in the noise.

Users can protect themselves by the following:
  • Don’t connect to or send any sensitive data on untrusted or unprotected Wi-Fi networks.
  •  Configure personally owned devices to automatically download and install updates.

 

Here are some recommendations for organizations to stay secure:
  • Create a refined “impossible travel” alert (logins from locations physically far away from normal login locations) within security platforms to catch remote connections from malicious actors. Additionally, create a VIP home-city list that can be used to correlate VIP’s location when connecting back to the corporate network. Abnormal connections should be monitored. User Behavior Analytics (UBA) tools and VPN logs with true “source IPs” and or device fingerprinting can help with understanding normal activity for each account and employee.
  • Enforce passwords for all remote meetings to prevent unauthorized individuals from joining. As meetings move online with a remote workforce, understanding the security of digital gathering places is vital. Securing remote meetings can help prevent malicious actors from seeing sensitive data, but it can also prevent the awkward situation of uninvited parties (or simply your next meeting) joining your current meeting and seeing or hearing something they shouldn’t.
  • Utilize Virtual Private Networks (VPNs), remote access portals, or other remote access connections to connect employees with the organizational network.
  • Patch VPN and remote access solutions and have two-factor authentication enforced. Insecure remote access connections are the most effective remote entry point for cybercriminals.
  • Maintain strong mobile device management (MDM) software on any work-issued mobile device.
  • Restrict the use of personal devices when possible for work activities. If they must be used, enforce the same uniform MDM policy as for work-issued devices to have the same level of security as any organizational device. This can be done as a device attempts to logon via VPN or through an agent-based solution.
  • Disable insecure remote meeting defaults, including any file transfer options or allowing people to join before the host has arrived/after they have been kicked for malicious activity.
  • Establish a Data Loss Protection (DLP) policy that outlines acceptable use of devices and data across work and home networks. The organization’s security team should also configure DLP policies to notify them and or quarantine upon suspected misuse of data.

COVID-19 has changed how businesses and employees do work and interact with one another, and as with any major world event, cybercriminals are attempting to capitalize. You and your organization can protect yourselves by practicing security best practices, even while you work from your couch in your pajamas.

Kyle Sheely
Senior Consultant, GMON, GCIH, Project+, CySA+ | Archive

Kyle specializes in continuous monitoring, threat hunting, and malware analysis. He is proficient in SIEM operations, email security, and data loss protection (DLP).

Kyle is GIAC GCIH, GMON, CompTIA CySA+, and Project+ certified and is pursuing his ITILv4 Foundations certification to further his information security education.

Kyle recently presented a workshop at DEFCON28 on Using the Attack Lifecycle in Incident Response.

Prior to Security Risk Advisors, Kyle provided network security for the Government of Colombia.