US-CERT Alert on Coronavirus/COVID-19 Scams

Description

Today, US-CERT issued an alert to the public to be aware of various Coronavirus/COVID-19 related scams. This culminates several weeks of high profile global news cycles that have dedicated coverage to the Coronavirus/COVID-19 health emergency.


What are the specifics of the alert?

The alert today was broad in scope; and is an informational piece designed to emphasize the importance of how to identify such scams and to be hypervigilant when receiving such mailings.


Was there any malware or indicators of compromise shared in this alert by US-CERT?

No.


Has there been any malware campaigns leveraging the Coronavirus/COVID-19 issue observed?

Yes. FortiGuard Labs has observed multiple families and campaigns over the past few weeks, such as Emotet, Trickbot, Lokibot and some attacks by nation states to name a few. It is safe to surmise that all threat actors who use social engineering attacks in their arsenal will leverage the Coronavirus/COVID-19 scare in some form or another.


How serious of an advisory is this?

Medium. This is due to the fact that threat actors are constantly identifying ways of infecting organizations and individuals. As the Coronavirus/COVID-19 issue continues to dominate the global news cycle, we can safely assume that bad actors will continue to leverage the fear and coverage on this issue to lure and trick unsuspecting victims. This includes opening attachments that contain malware and stealing any other personally identifiable information (PII) via phishing and spearphishing attacks.


Any suggested mitigations?

FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.


In the meantime, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could help prevent initial access into the network.


For further information on several recent Coronavirus/COVID-19 campaigns discovered by FortiGuard Labs, please read our latest blog:

Attackers Taking Advantage of the Coronavirus/COVID-19 Media Frenzy


MITRE ATT&CK

Spearphishing Attachment

ID: T1193

Tactic: Initial Access

Platform: Windows, macOS, Linux