Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

After Adopting COVID-19 Lures, Sophisticated Groups Target Remote Workers

While coronavirus-themed emails and files have been used as a lure for weeks, attackers now are searching for ways to actively target VPNs and remote workers to take advantage of weaker security.

Since February, a variety of advanced cybercriminals have adopted themes around the evolving coronavirus pandemic in attempts to convince targeted users to click on phishing links or install malware. Now attackers are actively attempting to take advantage of the vulnerable infrastructure exposed by the massive number of employees working from home, security experts and government agencies warned this week.

In a single 24-hour period, Microsoft detected a massive phishing campaign using 2,300 different Web pages attached to messages and disguised as COVID-19 financial compensation information that actually lead to a fake Office 365 sign-in page to capture credentials, the company stated in a blog post published today. Cybercriminals are also actively discussing the collaboration platforms, virtual private networks (VPNs), and systems currently used by companies for remote work, threat-intelligence platform IntSights stated in an advisory published Tuesday. 

"The biggest change is not the type of attacks but the situation where you have the majority of the workforce working from home," says Etay Maor, chief security officer for IntSights. "Workers are making some basic security hygiene mistakes, and the threat actors have been made aware of this — these issues are constantly being discussed, and the criminals are very agile to adapting to new situations."

Coronavirus themes have become the favored approach for many cybercriminals to trick users into falling prey to the latest attacks, and advanced groups often use the approach as well. Chinese, Russian, and North Korean cyber-espionage groups have all adopted pandemic-themed lures for phishing attacks and targeted efforts. Now the Maze cybercriminal group, the Pakistan-linked APT36, and the financial-focused FIN7 group have adopted the techniques as well.

A joint advisory issued today by US and UK cyber defense agencies warned that activity by advanced persistent threat (APT) groups has risen significantly.

"APT groups are using the COVID-19 pandemic as part of their cyber operations," the advisory stated. "These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and 'hack-and-leak' operations."

The overall volume of attacks is not necessarily growing, but various groups are switching to COVID-19 themes to convince concerned end users to click on links, install malware, or fall for fraud, said Rob Lefferts, corporate vice president for Microsoft 365 Security, in a blog post today. These attacks, however, account for less than 2% of all attacks seen by Microsoft on a daily basis, he stated.

"Attackers don't suddenly have more resources they're diverting towards tricking users; instead they're pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click," Lefferts wrote, adding, "the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear."

Of particular worry for security teams and national cybersecurity agencies is the mass move to remote work. The Cyber Infrastructure Security Agency (CISA), for example, has seen increased scanning for vulnerabilities in Citrix's Application Delivery Controller and Gateway products. 

"Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking," CISA said in its advisory. "Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software."

In March, security firm Malwarebytes published research demonstrating that the Pakistan-linked APT36 had begun using COVID-19 themes for spear-phishing and watering hole attacks. The group, which conducts cyber espionage against Indian political and diplomatic targets, attempted to fake health advisory documents to drop a remote-access tool known as CrimsonRAT.

The current targets continue to be "based on the threat actors' intents and motivations and usually is aligned with their past campaigns," stated the Malwarebytes Threat Intelligence Team in response to questions from Dark Reading. "For example, Kimsuky is a group that has been known to target South Korean users and this is visible in their COVID-19 campaign customized for this particular demographic."

Microsoft has taken a proactive approach to finding vulnerable networks that could be targeted by nation-state and cybercriminal groups, especially those belonging to healthcare firms, and helping them close the gaps.

In a blog published at the beginning of April, the company said sophisticated cybercriminal groups had targeted several dozens of hospitals, so Microsoft identified those organizations that had vulnerable gateway and VPN appliances in their infrastructure. 
"To help these hospitals, many already inundated with patients, we sent out a ... targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others," Microsoft stated.

Related Content:

A listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Soothing Security Products We Wish Existed."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.