In recent weeks, our cyber experts have been collecting intelligence from a variety of sources, including government agencies worldwide, on how cyber criminals and nation-state actors are taking advantage of the confusion and problems relating to the novel coronavirus (COVID-19). The following notes are provided as general guidance to bolster awareness and help avoid social engineering attacks.
Phishing Attacks Leveraging the WHO, CDC and Other Government Agencies
Cyber-criminals recognize that corporations and public-sector institutions are anxious to learn the latest authoritative information concerning COVID-19. They take advantage of this to create opportunities to induce employees to open emails and click on links. They may do this by crafting compelling subject lines (such as COVID-19: Latest Updates from the Centers for Disease Control) and using URLs highly similar to the official addresses—perhaps with the addition of a dash or a change from “.com” to another top-level domain.
Their objective is to compel the email recipient to take an action like clicking on a link which results in the downloading of malware ranging from ransomware to remote access trojans providing the criminals with ongoing access to your network. While our usual advice is “trust but verify,” the reality here is that you must be very careful about what you trust at all. Make note:
- The World Health Organization COVID-19 guidance is available at https://www.who.int/emergencies/diseases/novel-coronavirus-2019
- The U.S. Centers for Disease Control (CDC) official website for COVID-19 guidance is https://www.cdc.gov/coronavirus/2019-ncov/index.html
- The UK’s National Health Service COVID-19 information is available at https://www.nhs.uk/conditions/coronavirus-covid-19/
- Many other countries have also established official websites to collect and distribute authoritative information.
Be careful about any links included in emails pretending to come from official agencies and before you accept information, be sure it is coming from a known official and accurate source.
Protect and Test Your Offline Backups
Ransomware may only be the tip of the iceberg. We are seeing increasing reports of ransomware being deployed only after criminals carefully examine the network, often looking to identify backup files (even if they are in a remote “cloud-based” system) so that they can have the ransomware encrypt not only your primary files, but your backup as well. If they succeed, the victim will be more likely to feel that they must pay the ransom to restore their operations.
Particularly troubling is the growing trend of ransomware attackers stealing sensitive employee, customer or intellectual property such as business plans, financials or trade secrets, and use the ransomware to cover their tracks. Even if you pay the ransom and regain control of your files, the criminals may have a copy that they can sell on the dark web.
Carefully Inspect Before Engaging Charitable Organizations
We have seen the rapid rise of sites seeking contributions ostensibly to assist those affected by COVID-19. Unfortunately, while there are many valid sites, criminals seek to exploit the charitable nature of individuals and corporations and get them to send funds to fake donation sites. Certainly, we encourage individual and corporate charitable donations to assist those in need of help in a crisis, but we strongly recommend that contributions be made through known and thoroughly vetted charitable organizations.
Examine and Strengthen Remote Work Capabilities and Security
Many organizations are facing the need to have employees work at home rather than in their regular work locations. While some organizations have planned for this eventuality and have engineered their networks to provide appropriate security and privacy controls, others have not done so, and are being forced to make rapid changes to accommodate displaced workers. Rapid changes may not have permitted the time to put adequate controls and security measures in place. Here are a few areas to focus on:
- Employees working from home may need to print out non-public or sensitive material, and they will need a way to safeguard that material. Providing them with a cross-cut shredder or a box to store the material until they can bring it to the office for proper disposal is vital. If employees are going to need special forms or other materials, make sure it is provided to them.
- Connecting to the company network through a virtual private network (VPN) connection should be a requirement. Be sure your technology team has assured a sufficient number of simultaneous VPN connections for a worst-case remote work scenario.
- Remember that travel limitations may require your technology team to work remotely. Can they carry out their functions if they are remote? Can they be reached through your phone system if your help desk must be operated remotely? We proposed a few key questions related to the sustainability of IT in a crisis in a previous article—now is the time to ask the right questions and demand answers.
The one thing that is certain is that cyber criminals are hard at work looking for ways to take advantage of work disruptions associated with COVID-19 and governments’ orders designed to reduce the spread of the disease. Don’t let your company’s technology be an avoidable victim.
Kroll continue to monitor developments relating to crisis response, cyber threats, valuations and financial stress caused by the COVID-19 pandemic. We will continue to provide guidance as we gather and analyze information from our client work and our analyst’s evaluation of information available to us through official and other sources. If our experts can help you assess and manage the risks to your business, contact us as soon as possible. Additional guidance is available in our Coronavirus Resource Center.
