Excellium services newsletter : COVID-19 threats and recommendations

The COVID-19 Pandemic is raging around the globe and, of course, hackers are not going to take a break… On the contrary, hackers are jumping on the pandemic to try to use it for their own gain.

by Excellium SA

Excellium services newsletter : COVID-19 threats and recommendations

The COVID-19 Pandemic is raging around the globe and, of course, hackers are not going to take a break… On the contrary, hackers are jumping on the pandemic to try to use it for their own gain.

by Excellium SA

by Excellium SA

A growing number of scams exploiting COVID-19

According to a report published by Check Point Research, hackers are exploiting the COVID-19 outbreak to spread their own infection, including registering malicious Coronavirus-related domains and selling malware on the dark web.
These are just a few of many COVID-19 related cyberattacks i.e against hospitals, phishing campaigns that distribute malware such as AZORuIt, Emotet, Nanocore RAT and TrickBot via malicious links and attachments, and execute malware and ransomware attacks that aim to profit off the global health concern.

Scam example #1: Info-Stealing Coronavirus Threat Map

Researchers have found that cybercriminals are running a fake coronavirus threat map website to steal personal information. Victims who visit the page are shown a map of the globe highlighting to which countries the virus has spread together with stats on the number of deaths and infections recorded. To give the fake and malicious map an extra authenticity, criminals have designed it to mimic a legitimate COVID-19 threat map created by Johns Hopkins University that similarly shows countries hit by the virus together with the latest statistics.
Emails containing links to the fake map were discovered. Victims who clicked on the links unknowingly activated malicious information-stealing software. The malware can be used to steal browsing history, cookies, ID/passwords, cryptocurrency, credit card information stored in users’ browser history, and more. It can also download additional malicious software onto infected machines.

Scam example #2: Coronavirus Phishing Scams

In the past week, security researchers have discovered multiple email scams that prey on the fear, uncertainty, and confusion regarding COVID-19. With no vaccine yet developed, and with much of the world undergoing intense social distancing measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed promises of health tips, protective diets, and, most dangerously, cures.
Attached to threat actors’ emails are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of keyloggers, ransomware, and data stealers.
For example, security researchers reported a phishing campaign which impersonates the World Health Organization (WHO) and promises the latest on “corona-virus.”. You can notice right away the incorrect use of a hyphen in “coronavirus” in the subject line. However, since WHO are often touted as a trustworthy and authoritative resource, many will be tempted to open the email.
In this particular campaign, threat actors use a fake e-book as a lure, claiming the “My Health E-book” includes complete research on the global pandemic, as well as guidance on how to protect children and businesses.
The criminals behind this scheme try to trick victims into opening the attachment, contained in a zip file, by offering teaser content within the body of the email.
As soon as the victims open the file inside the MyHealth-Ebook.zip archive, malware will be downloaded onto their computers.

Scam example #3: Exploiting Zoom’s Success to Spread Malware

As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake “Zoom” domains and malicious “Zoom” executable files in an attempt to trick people into downloading malware on their devices. According to a report published by Check Point, over 1,700 new “Zoom” domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone.
The researchers have detected malicious files with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# representing various digits). The running of these files ultimately leads to malicious software installation.

How to protect your organization?

Working from home can be new to some organizations, and even perhaps overwhelming to some employees. Since the number of people working remotely has increased dramatically, it is of vital importance to ensure an adequate level of cybersecurity when teleworking

Recommendations for organizations :

o Do not expose unnecessary or unsecure equipment, applications and services on the Internet (e.g MS Exchange web interfaces, SMB file sharing services, RDP, …); Pay particular attention to services that might have been exposed “in a rush” as an immediate action to the confinement
o Apply security fixes as soon as possible, especially for equipment, applications and services exposed on the Internet
o Make regular backups of your critical systems
o Ensure that all the corporate business applications are accessible only via encrypted communication channels e.g a corporate VPN solution
o Apply 2FA (Two Factor Authentication) or MFA (Multi Factor Authentication) mechanisms on equipment, applications and services exposed on the Internet (including for VPN access) in order to limit the risk of identity theft
o Provide secure video conferencing for corporate clients (both audio/video capabilities).
o Provide secured (e.g anti malware, disk encryption, …) and up-to-date corporate computers/devices to your staff while on teleworking
o Forbid the use of BYOD
o Ensure a proper information security awareness communication and training to your staff
o Regularly review the security logs of the systems exposed on the internet; Detect and respond to any suspicious behavior
o Ensure that your IT resources are in place to support staff in case of technical issues while teleworking; provide relevant information, e.g. on contact points, to staff.
o Ensure policies for responding to security incidents and personal data breaches are in place and that staff is appropriately informed of them.

Ensure that any processing of staff data by the employer in the context of teleworking (e.g. time keeping) is in compliance with the EU legal framework on data protection.

Recommendations for employees :

o Only use corporate laptops/phones/… Do not mix personal and professional activities on the same devices.
o Connect to the internet via secure networks like your home wifi. Avoid open/free networks (airport, hotel, public places, …)
o Ensure your VPN is enabled at all times
o Apply system (operating system and applications used, as well as anti-virus system) updates immediately
o Do not leave your laptop unintended unless you have locked your screen
o Do not share virtual meeting URLs on social media or other public channels
o On the use of emails:__

  • Be particularly careful with any emails referencing the coronavirus, as these may be phishing attempts or scams
  • Be very suspicious of mails from people you don’t know- especially if they ask to connect to links or open files
  • Mails that create an image of urgency or severe consequences are key candidates for phishing – in these cases always verify via an external channel before complying.
  • Mails sent from people you know, but asking for unusual things are also suspect – verify by phone if possible
  • Any doubt, call your designated security contact

A word on Zoom and other audio/video conferencing platforms

Over the past few weeks in a COVID-19 world, audio/video conferencing platforms have become increasingly popular. Among them is the well-known Zoom service, which has now become infamous for its security and privacy concerns.

1. The Zoom controversy
Regarding Privacy, even though the company is somewhat working on “fixing privacy issues”, it was and is still collecting a long list of data (for its own profit) about you including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information you create or upload. On top of that, Zoom is using third-party trackers and surveillance based advertising.
Regarding Security, several issues were raised, for example:

  • Last year, a researcher discovered that a vulnerability in the Mac Zoom client allowed any malicious website to bypass browser security settings and remotely enable a user’s web camera without the user’s knowledge or consent. Zoom patched this vulnerability last year.
  • On April 1st, it was discovered that for Windows can be used to steal users’ Window credentials
  • On April 2nd, we learned that Zoom secretly displayed data from people’s LinkedIn profiles, which allowed some meeting participants to snoop on each other. Zoom has fixed this one since then.

At this stage, it is highly probably that there are a lot more security design shortcomings and software vulnerabilities coming.
However, to make things worse, Zoom encryption is certainly not state of the art:

Zoom has a lot of configuration options. You certainly don’t want to stick with the defaults. Otherwise, you may encounter such things as “Zoombombing“: Because meeting IDs are too short to prevent someone from randomly trying them, some people are simply looking for open Zoom meetings, join them, and disrupt then somehow e.g sharing their screens to everyone with offensive content.

2. Zoom: Best practices  

The absolute best practice is to NOT use Zoom at all. But if for some reasons you are still going to, apply the following best practices:

  • don’t share the meeting IDs more than you have to
  • use a password in addition to a meeting ID
  • use the waiting room
  • pay attention to who has what permissions
  • user awareness: download Zoom clients from legitimate sources (MS Store or vendor web site), keep Zoom clients up-to-date, make sure to use the genuine domain name in URLs.

3. Alternatives to Zoom

  1. Cisco Webex : Webex is a videoconferencing app that was created in the ‘90s and was acquired by Cisco in 2007. It is commonly used as a business application and continues to focus on serving companies. A free version exists with extended features for the current emergency: up to 100 participants, unlimited timing for each meeting, call-in for audio?
  2.  Microsoft Teams : Microsoft Teams is the video meeting choice for businesses using Office 365. It “enforces team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest,” according to Microsoft.
  3. Skype : Skype is a nearly as functional as Zoom. It’s stable, supports large group chats, doesn’t require an account, and it’s easy to create your own meeting and control who’s allowed in. One important thing though: Skype isn’t end-to-end encrypted.
  4. Jitsi : Jitsi is a secure open source app that offers multiple video chatting features, and people joining your chat don’t have to create an account. All information that leaves your device is encrypted but again, it’s not end-to-end encrypted. But since it’s open source, you can host your own server to mitigate the risks. Jitsi is still somewhat new on the market, and can be a little jittery with multiple people joining the chat.