Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

After Adopting COVID-19 Lures, Sophisticated Groups Target Remote Workers

While coronavirus-themed emails and files have been used as a lure for weeks, attackers now are searching for ways to actively target VPNs and remote workers to take advantage of weaker security.

Since February, a variety of advanced cybercriminals have adopted themes around the evolving coronavirus pandemic in attempts to convince targeted users to click on phishing links or install malware. Now attackers are actively attempting to take advantage of the vulnerable infrastructure exposed by the massive number of employees working from home, security experts and government agencies warned this week.

In a single 24-hour period, Microsoft detected a massive phishing campaign using 2,300 different Web pages attached to messages and disguised as COVID-19 financial compensation information that actually lead to a fake Office 365 sign-in page to capture credentials, the company stated in a blog post published today. Cybercriminals are also actively discussing the collaboration platforms, virtual private networks (VPNs), and systems currently used by companies for remote work, threat-intelligence platform IntSights stated in an advisory published Tuesday. 

"The biggest change is not the type of attacks but the situation where you have the majority of the workforce working from home," says Etay Maor, chief security officer for IntSights. "Workers are making some basic security hygiene mistakes, and the threat actors have been made aware of this — these issues are constantly being discussed, and the criminals are very agile to adapting to new situations."

Coronavirus themes have become the favored approach for many cybercriminals to trick users into falling prey to the latest attacks, and advanced groups often use the approach as well. Chinese, Russian, and North Korean cyber-espionage groups have all adopted pandemic-themed lures for phishing attacks and targeted efforts. Now the Maze cybercriminal group, the Pakistan-linked APT36, and the financial-focused FIN7 group have adopted the techniques as well.

A joint advisory issued today by US and UK cyber defense agencies warned that activity by advanced persistent threat (APT) groups has risen significantly.

"APT groups are using the COVID-19 pandemic as part of their cyber operations," the advisory stated. "These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and 'hack-and-leak' operations."

The overall volume of attacks is not necessarily growing, but various groups are switching to COVID-19 themes to convince concerned end users to click on links, install malware, or fall for fraud, said Rob Lefferts, corporate vice president for Microsoft 365 Security, in a blog post today. These attacks, however, account for less than 2% of all attacks seen by Microsoft on a daily basis, he stated.

"Attackers don't suddenly have more resources they're diverting towards tricking users; instead they're pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click," Lefferts wrote, adding, "the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear."

Of particular worry for security teams and national cybersecurity agencies is the mass move to remote work. The Cyber Infrastructure Security Agency (CISA), for example, has seen increased scanning for vulnerabilities in Citrix's Application Delivery Controller and Gateway products. 

"Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking," CISA said in its advisory. "Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software."

In March, security firm Malwarebytes published research demonstrating that the Pakistan-linked APT36 had begun using COVID-19 themes for spear-phishing and watering hole attacks. The group, which conducts cyber espionage against Indian political and diplomatic targets, attempted to fake health advisory documents to drop a remote-access tool known as CrimsonRAT.

The current targets continue to be "based on the threat actors' intents and motivations and usually is aligned with their past campaigns," stated the Malwarebytes Threat Intelligence Team in response to questions from Dark Reading. "For example, Kimsuky is a group that has been known to target South Korean users and this is visible in their COVID-19 campaign customized for this particular demographic."

Microsoft has taken a proactive approach to finding vulnerable networks that could be targeted by nation-state and cybercriminal groups, especially those belonging to healthcare firms, and helping them close the gaps.

In a blog published at the beginning of April, the company said sophisticated cybercriminal groups had targeted several dozens of hospitals, so Microsoft identified those organizations that had vulnerable gateway and VPN appliances in their infrastructure. 
 
"To help these hospitals, many already inundated with patients, we sent out a ... targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others," Microsoft stated.

Related Content:

A listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Soothing Security Products We Wish Existed."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.