Unit 42 issues threat brief on how hackers are exploiting COVID-19

Ryan Olson, Vice President, Threat Intelligence, Unit 42 at Palo Alto Networks
Ryan Olson, Vice President, Threat Intelligence, Unit 42 at Palo Alto Networks.
5 years ago

Ryan Olson, Vice President, Threat Intelligence, Unit 42 at Palo Alto Networks talks about how cyber attackers are taking advantage of the COVID-19 pandemic.

When people ask me what Unit 42, does, the most concise answer I can normally give is “we research bad guys doing bad things.” With the onset of the COVID-19 pandemic spreading around the world, many of us have had to adapt our lives to accommodate the new reality. Bad guys are no different. They’ve also adapted and are taking advantage of this pandemic to launch cyber attacks.

The biggest opportunity for cyber attackers with this outbreak has nothing to do with technology, but with how humans change their behaviour and patterns in response to the crisis. The purpose of this report is not to contribute to the fear and anxiety many of us are already experiencing, but to help you be informed about what is happening and how to protect yourself and your organisation. We will update this blog as new information comes to light.

Phishing and malware distribution using COVID-19 themes

As with other high-profile events, attackers are taking advantage of the high amount of attention paid to COVID-19 to lure victims into opening attachments on malicious emails and click on phishing links. This is not a single attack or event campaign, but widespread use of virus-related themes. We’ve identified malicious emails using subjects containing COVID-19 and related keywords carrying Remote Administration Tools like NetWire, NanoCore, and LokiBot, as well as other malware.

  • CORONAVIRUS (COVID-19) UPDATE // BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MARCH 2020.
  • Latest corona-virus updates
  • UNICEF COVID-19 TIPS APP
  • POEA HEALTH ADVISORY re-2020 Novel Corona Virus.
  • WARNING! CORONA VIRUS

Example file attachment names include:

  • AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe
  • Coronavirus COVID-19 upadte.xlsx
  • CORONA VIRUS1.uue
  • CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm
  • covid19.ZIP

Neither of these lists is exhaustive and new variants on these themes will quickly emerge. Expect these to continue in the coming weeks and months. As the news evolves, the attackers will adapt. We simultaneously see the same attacks using common themes related to tax filing, invoices, and shipping orders.

Fake applications

As people seek out information about COVID-19, how it is impacting them, and how they can stay safe, many are looking to their smartphone for help. There have already been multiple cases reported of malicious Android applications that claim to offer information about the virus. These allow the attacker to spy on you through your devices, or encrypt your device and hold it for ransom.

As always, Android users should not install applications from untrusted sources, stick to the Google Play store, and iPhone users should not jailbreak their phones and install apps from third-party sources, stick to the App Store.

COVID-19 themed domain names

In the past few weeks, thousands of domains have been registered containing terms like “covid,” “virus”, and “corona.” Not all of these will be malicious, but all of them should be treated as suspect. Whether they claim to have information, a testing kit, or a cure, the fact that the website didn’t exist until the pandemic became news should make you very skeptical of their validity.

How we’re protecting you

In general, the best practices we recommend are still the right way to keep your organisation and your network protected from these threats. Our products and services are just as capable at preventing threats using COVID-19 related themes as they are for other messages that track users into clicking links and opening attachments. Consider taking the following actions to ensure you are taking advantage of our protection:

  • Run a Best Practice Assessment to identify where your configuration could be altered to improve your security posture.
  • Use PAN-DB URL Filtering to block the “Newly-Registered Domains”, which contains domains registered in the last 32 days. While these may not all be malicious, it could prevent your users from succumbing to scams.

Don't Miss

INTERPOL thanks Unit 42 for collaboration in Operation Delilah providing telemetry about BEC actors

INTERPOL and The Nigeria Police Force announced the arrest of a prominent business
Wendi Whitmore, Senior Vice President of Cyber Consulting and Threat Intelligence at Palo Alto Networks and Leader of Unit 42

Wendi Whitmore to lead Palo Alto’s new cybersecurity consulting group Unit 42

Palo Alto Networks has announced it is establishing a new cybersecurity consulting