Embed Size (px)
Citation preview
© 2020 DXC Technology Company. All rights reserved.
Page 1 of 5
Cyber Threats Associated with the Coronavirus/COVID-19 Global Outbreak Cyber Threat Intelligence Alert 17 March 2020
DXC Intelligence
© 2020 DXC Technology Company. All rights reserved. Page 2 of 5
Overview At the time of writing, the Coronavirus Disease 2019 (COVID-19) is continuing to spread widely across the globe with large numbers of confirmed cases cluster around China, Italy, Iran, South Korea, Spain, France, Germany, and the United States. Available information indicates that the number of infections are likely to be much higher than the number of reported cases which reflect confirmed cases given that testing for the COVID-19 virus is limited.
In response to the COVID-19 outbreak, many public and private entities are quickly moving towards a remote business operation model that will continue to support operational continuity while mitigating the risk posed to the workforce through measures such as limited travel and working from home. These shifts to remote working present new and attractive intrusion vectors to threat actors as information security responsibilities are transferred beyond the boundaries of the corporate network. Examples of the additional attack vectors presented by this situation are:
• The use of poorly protected personal devices to handle sensitive corporate information
• Spoofing of corporate emails and websites purporting to discuss remote working arrangementsand system configurations
• Incorrect or insecure configuration of remote access services such as corporate VPN systems
DXC Intelligence assess that there will be a heightened level of threat actor activity in this period as they look to capitalize on the public uncertainty and both business and employees adapt to remote working practices.
Threat Highlight: Phishing Phishing continues to be the primary initial attack vector used in COVID-19 related campaigns by both cybercriminal and nation state threat actors and is expected to continue to pose a significant threat in the coming months. The use of global current affairs in lure documents and emails is a trend that has been in use by many threat actors for a number of years, and both criminal and nation state threat actors have been taking advantage of COVID-19 to produce lures related to health guidance and infection rate news for the last two months.
In addition to health-related lures, it is considered highly likely that threat actors could take advantage of the shift to remote working using lure documents related to corporate guidance and procedures, and Human Resources and leadership correspondence.
Scam Websites DXC Intelligence has observed a large number of COVID-19 related domain names being purchased. While the intent of use for these sites is not clear at the time of writing, DXC Intelligence assess that it is highly likely that they will be used in various scam operations or to further distribute malware. Scam websites are likely to be used to promote fake charities, fraudulent health products (including face masks, COVID-19 tests and vaccinations), or ask for donations to fundraising efforts to support vaccine development.
© 2020 DXC Technology Company. All rights reserved.
Page 3 of 5
Cybercrime There has been significant criminal activity across all industry verticals and geographic regions related to the COVID-19 outbreak. Campaigns have been observed in multiple languages, using multiple attachment types, and using varying breadth of information relating to the outbreak. This activity demonstrates that the scope of criminal activities have been and are likely to remain wide. COVID-19 based lure documents have been to distribute Emotet, TrickBot, and other malware. There have also been instances of criminal groups attempting to sell COVID-19 themed tools.
Nation State Despite the impact on their respective countries, multiple nation state threat actors have been observed using COVID-19 themed operations, with actors working on behalf of the Democratic People’s Republic of Korea (North Korea) and China both using such techniques.
Threat Highlight: Remote Working Services As many public and private entities request many employees to work from home organizations will need to increase the use of remote access services in order to support their workforce. Deploying additional remote access services in a short window could pose a security risk when combined with the potential for human error-enabled security lapses.
Recent months have seen an increase in the number of high and critical severity vulnerabilities in several corporate VPN solutions. The urgent need for additional remote access resources may see an increase in vulnerable services being deployed in a rush to meet the business demand.
Criminal threat actors continually collect credentials for remote access services which could provide them with access to accounts and internal corporate systems. The cybercriminal Big Game Hunting (BGH) ransomware industry in particular leverages Remote Desktop Protocol (RDP) brute forcing and password spraying as an initial attack vector. As many such actors are active it is considered highly likely that they will look to capitalize on the potential increase in remote access services to escalate their activity.
DXC Global Cyber Threat Intelligence Assessment At this time the global COVID-19 outbreak is increasing across the globe causing health concerns and significant disruptions to businesses. DXC assesses that malicious cyber threat actors will continue to take advantage of the situation where they can during this time and as such, it is imperative that businesses and employees remain aware of the potential cyber threats they face while they make transitions to alternative business continuity plans.
DXC recommends adopting a strong defensive posture by ensuring remote services, VPNs, and multi-factor authentication solutions are fully patched and properly integrated, and by providing security awareness for employees working from home.
© 2020 DXC Technology Company. All rights reserved.
Page 4 of 5
DXC CTI recommends: • Ensure that all remote access systems are patched to current levels. • Confirm the configuration of any remote access solutions recently deployed to meet increased
demand. • Ensure the use of Multi-Factor Authentication (MFA) for all remote workers to mitigate the
potential misuse of compromised credentials. • Educate users to regard unsolicited emails, especially medical advisory emails, with caution,
especially if they have links or attachments. • Wherever possible, dedicated corporate devices should be provided to home working
employees. This ensures that good endpoint security can be maintained. • If dedicated corporate endpoint devices are not available, consider the use of MFA protected
Remote Desktop Protocol (RDP) services to process corporate information without removing it from organizational network borders.
Resources
Reference Location
Fortinet https://www.fortinet.com/blog/threat-research/attackers-taking-advantage-of-the-coronavirus-covid-19-media-frenzy.html
Recorded Future https://www.recordedfuture.com/coronavirus-panic-exploit/
Check Point Research https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
National Cyber Security Centre https://www.ncsc.gov.uk/news/cyber-experts-step-criminals-exploit-coronavirus
© 2020 DXC Technology Company. All rights reserved.
Page 5 of 5
Get the latest DXC threat intelligence updates. Visit www.dxc.technology/threats.
DXC in Security
Recognized as a leader in security services, DXC Technology helps clients prevent potential attack pathways, reduce cyber risk, and improve threat detection and incident response. Our expert advisory services and 24x7 managed security services are backed by 3,500+ experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of specialization in Intelligent Security Operations, Identity and Access Management, Data Protection and Privacy, Security Risk Management, and Infrastructure and Endpoint Security. Learn how DXC can help protect your enterprise in the midst of large-scale digital change. Visit www.dxc.technology/security.
About DXC Technology
As the world’s leading independent, end-to-end IT services company, DXC Technology (NYSE: DXC) leads digital transformations for clients by modernizing and integrating their mainstream IT, and by deploying digital solutions at scale to produce better business outcomes. The company’s technology independence, global talent, and extensive partner network enable 6,000 private and public-sector clients in 70 countries to thrive on change. DXC is a recognized leader in corporate responsibility. For more information, visit www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for changemakers and innovators.
DXC Labs | Security
DXC Labs delivers thought leadership and technology prototypes to enable enterprises to thrive in the digital age.
DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to e!ciently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.
Learn more at www.dxc.technology/securitylabs
