Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

After Adopting COVID-19 Lures, Sophisticated Groups Target Remote Workers

While coronavirus-themed emails and files have been used as a lure for weeks, attackers now are searching for ways to actively target VPNs and remote workers to take advantage of weaker security.

Since February, a variety of advanced cybercriminals have adopted themes around the evolving coronavirus pandemic in attempts to convince targeted users to click on phishing links or install malware. Now attackers are actively attempting to take advantage of the vulnerable infrastructure exposed by the massive number of employees working from home, security experts and government agencies warned this week.

In a single 24-hour period, Microsoft detected a massive phishing campaign using 2,300 different Web pages attached to messages and disguised as COVID-19 financial compensation information that actually lead to a fake Office 365 sign-in page to capture credentials, the company stated in a blog post published today. Cybercriminals are also actively discussing the collaboration platforms, virtual private networks (VPNs), and systems currently used by companies for remote work, threat-intelligence platform IntSights stated in an advisory published Tuesday. 

"The biggest change is not the type of attacks but the situation where you have the majority of the workforce working from home," says Etay Maor, chief security officer for IntSights. "Workers are making some basic security hygiene mistakes, and the threat actors have been made aware of this — these issues are constantly being discussed, and the criminals are very agile to adapting to new situations."

Coronavirus themes have become the favored approach for many cybercriminals to trick users into falling prey to the latest attacks, and advanced groups often use the approach as well. Chinese, Russian, and North Korean cyber-espionage groups have all adopted pandemic-themed lures for phishing attacks and targeted efforts. Now the Maze cybercriminal group, the Pakistan-linked APT36, and the financial-focused FIN7 group have adopted the techniques as well.

A joint advisory issued today by US and UK cyber defense agencies warned that activity by advanced persistent threat (APT) groups has risen significantly.

"APT groups are using the COVID-19 pandemic as part of their cyber operations," the advisory stated. "These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and 'hack-and-leak' operations."

The overall volume of attacks is not necessarily growing, but various groups are switching to COVID-19 themes to convince concerned end users to click on links, install malware, or fall for fraud, said Rob Lefferts, corporate vice president for Microsoft 365 Security, in a blog post today. These attacks, however, account for less than 2% of all attacks seen by Microsoft on a daily basis, he stated.

"Attackers don't suddenly have more resources they're diverting towards tricking users; instead they're pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click," Lefferts wrote, adding, "the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear."

Of particular worry for security teams and national cybersecurity agencies is the mass move to remote work. The Cyber Infrastructure Security Agency (CISA), for example, has seen increased scanning for vulnerabilities in Citrix's Application Delivery Controller and Gateway products. 

"Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking," CISA said in its advisory. "Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software."

In March, security firm Malwarebytes published research demonstrating that the Pakistan-linked APT36 had begun using COVID-19 themes for spear-phishing and watering hole attacks. The group, which conducts cyber espionage against Indian political and diplomatic targets, attempted to fake health advisory documents to drop a remote-access tool known as CrimsonRAT.

The current targets continue to be "based on the threat actors' intents and motivations and usually is aligned with their past campaigns," stated the Malwarebytes Threat Intelligence Team in response to questions from Dark Reading. "For example, Kimsuky is a group that has been known to target South Korean users and this is visible in their COVID-19 campaign customized for this particular demographic."

Microsoft has taken a proactive approach to finding vulnerable networks that could be targeted by nation-state and cybercriminal groups, especially those belonging to healthcare firms, and helping them close the gaps.

In a blog published at the beginning of April, the company said sophisticated cybercriminal groups had targeted several dozens of hospitals, so Microsoft identified those organizations that had vulnerable gateway and VPN appliances in their infrastructure. 
"To help these hospitals, many already inundated with patients, we sent out a ... targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others," Microsoft stated.

Related Content:

A listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Soothing Security Products We Wish Existed."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...