Executive Summary The COVID-19 pandemic is changing everyday life for workers across the globe. Cisco Talos continues to see attackers take advantage of the coronavirus situation to lure unsuspecting users into various pitfalls such as phishing, fraud, and disinformation campaigns. Talos has not yet observed any new techniques during this event. Rather, we have seen malicious actors shift the subject matter of their attacks to focus on COVID themes. We continue to monitor the situation and are sharing intel with the security community, customers, law enforcement, and governments.
Protecting your organization from threats that leverage COVID themes relies on the same strong security infrastructure foundation that your organization hopefully already has. However, security organizations must ensure existing protections and capabilities function in a newly remote environment, that users are aware of the threats and how to identify them and that organizations have implemented security best practices for remote work.
What is Talos doing about it? We have observed three broad categories of attacks leveraging COVID with known APT participation in each of these categories:
- Malware and phishing campaigns using COVID-themed lures
- Attacks against organizations that carry out research and work related to COVID
- Fraud and disinformation
Fraudulent website purporting to sell medical masks |
Talos continues to monitor attacks leveraging COVID themes. We are aggressively detecting and blocking malicious domains, spam and phishing attacks. Additionally, we're sharing information with customers and partners via our AEGIS program, intelligence partnership with law enforcement and government organizations, and the Cyber Threat Alliance (CTA). Customers with a Cisco Talos Incident Response (CTIR) retainer may also receive actionable threat intelligence as it relates to COVID-related information as we uncover it. For customers wanting a more direct engagement, the CTIR retainer can also be used for consultation directly with our intelligence analysts to address concerns about the pandemic-themed attacks as they apply to their environment. We also recommend that our customers review their IR plans and associated playbooks so they are prepared for worst-case scenarios before they happen, and to practice those plans and playbooks via tabletop exercises.
What should users do? Working from home presents its own, sometimes a new set of security concerns. Employees should continue to be wary of unsolicited emails they receive that contain attachments or embedded links relating to the pandemic. Talos has observed an overall decline in the volume of malicious email since the end of January, likely due to a combination of the Necurs botnet takedown, and Emotet's recent spam holiday. That being said, spam and phishing campaigns are significantly increasing their use of COVID themes. This activity is likely to continue until the news cycle changes.
The same precautions employees would otherwise normally take while in the office should be taken while working from home. Lock your screen while away from the device. Use only trusted and secure WiFi access points. Practice sensible data hygiene and keep corporate data on corporate-protected assets. Additionally, avoid using your corporate devices for personal usage.
What should businesses do? Businesses should prepare for the COVID pandemic by focusing on adapting to a new borderless environment. This includes improving IT, visibility, and response controls listed below. Organizations can leverage NIST SP 800-46, which provides a framework for enterprise teleworking and remote access. Additionally, companies should make sure employees are security-aware and can identify, avoid, and report suspected malicious activity associated with the pandemic. Targeted and mature security organizations should track relevant threat actors leveraging the COVID pandemic.
From an enterprise security perspective, Talos recommends the following key areas of enterprise security:
Remote access Do not expose Remote Desktop Protocol (RDP) to the internet. Use secure VPN connections with multi-factor authentication schemes, such as Cisco Duo. NAC solutions can also be leveraged to ensure that systems attempting to remotely connect to the corporate environment meet a minimum set of security standards such as anti-malware protection, patch levels, etc. prior to granting them access to corporate resources. Continually identify and remediate access policy violations.
Identity Management Protect critical and public-facing applications with multi-factor authentication and supporting corporate policies. Verify that remote account and access termination capabilities work as intended in a remote environment.
Endpoint Control Because many people may be working from home networks, endpoint visibility, protection, and mitigation using a solution like Cisco AMP for Endpoints, is now more important than ever. Consider whether remediation and reimaging capabilities will work as intended in a remote environment. Encrypt devices where possible, and add this check to your NAC solution as a gate for connectivity. Another simple method of protecting endpoints is via DNS, such as with Umbrella, by blocking the resolution of malicious domains before the host has a chance to make a connection.
Data Management Do you know where critical data lives, who has access to it, and how that data moves within (and now potentially without) your environment? Organizations must ensure their remote workforce is enabled to share data securely and within policy. Monitor critical data moving outside of policy requirements. Lastly, make sure that your backup strategy considers how to backup off-premise data.
Awareness training Educate users regarding spam, phishing, SMS fraud, social engineering, and internal security engagement processes. A comprehensive employee awareness program will help ensure that employees are informed with regards to the proper use of corporate resources, even when working from remote locations. Existing CTIR customers who need additional assistance can leverage their retainers for readiness assessments.
Processes Review response plans to identify any single-person points of failure and plan for what happens if that person is no longer available. Additionally, identify operational functions that currently require physical presence (forensics & data acquisition, endpoint re-imaging, etc.) and implement remote-capable workarounds.
Talos Resources Additional Talos Coronavirus-related content can be found here:
- Threat actors attempt to capitalize on coronavirus outbreak
- Beers with Talos Ep. #74 — Now that coronavirus made a global WFH policy…
- Talos Takes Ep. #7 — How attackers are capitalizing on coronavirus fears
- Talos Takes Ep. #11 — Avoiding fake news during the times of COVID-19