FBI Details COVID-19 Phishing Attacks on Healthcare Industry
The FBI, which has been urging vigilance around COVID-19 themed phishing attacks, this week gave indicators of compromise and hashes to aid admins in the fight.
We've been hearing for weeks about how employees across multiple sectors have seen an uptick in COVID-19 themed phishing scams. It makes sense, after all, as many attackers cater to trends in the news in order to capitalize on fear for their phishing campaigns.
It wasn’t until this week however that the Federal Bureau of Investigation (FBI) gave administrators a better idea what to look out for exactly. On Tuesday, the FBI issued a Flash Alert outlining technical details of phishing attacks the agency has seen so far and a series of indicators of compromise (IOCs) and hashes around current campaigns to better assist network defenders.
This week’s Flash Alert highlights phishing attacks on the healthcare industry - U.S.-based medical providers in particular - that have used Microsoft Word document files, 7-zip compressed files, Microsoft Visual Basic Script, Java, and Microsoft Executables as attachments. While the FBI asserts it isn’t certain of the capabilities of the malicious extensions, like the majority of malicious attachments, it believes they'd be used to create an intrusion vector, something that could lead to system exploitation, persistence, and data exfiltration.
As is to be expected, a number of the phishing campaigns feature subject lines that are designed to pique a user's attention, like "Information about COVID-19 in the United States," "Business contingency alert - COVID-19" and "World Health Organization/Let's fight Corona Virus together."
The FBI's techniques to mitigate these attacks are more or less in line with commonly accepted recommendations to prevent phishing attacks.
The FBI is encouraging employees if they're not already to follow these mitigations:
- Be wary of unsolicited attachments, even from people you know. Cyber actors can “spoof” the return address, making it look like the message came from a trusted associate.
- Keep software up to date. Install software patches so that attackers can’t take advantage of known problems or vulnerabilities.
- If an email of email attachment seems suspicious, don’t open it, even if your antivirus software indicates that the message is clean. Attackers are constantly releasing new viruses, and the antivirus software might not have the signature.
- Save and scan any attachments before opening them.
- Turn off the option to automatically download attachments. To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and disable it.
- Consider creating separate accounts on your computer. Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need “administrator” privileges to infect a computer.
- Apply additional security practices. You may be able to filter certain types of attachments through your email software or a firewall.
While the fact that threat actors are refining their tactics to realign with a crisis-based theme like COVID-19 is certainly nothing new, the fact that COVID-19 is a global pandemic and on practically everyone’s minds has shifted campaigns into full gear.
Google said recently that its systems detected 18 million malware and phishing messages a day revolving around COVID-19. That's in addition to more than 240 million COVID-themed spam messages.
The company confirmed Wednesday that while many campaigns are impersonating health organizations, as the FBI warned, many international and national health organizations themselves have become targets.
One campaign, as previously reported by Reuters, uses a domain that spoofs the World Health Organization's login page. The evolution in phishing attacks link back to a change in tactics, not an escalation in the number of attacks overall, Shane Huntley, a member of Google's Threat Analysis Group said Wednesday.
These phishing attacks have come via hackers linked to Iran, in particular a group named Charming Kitten and a South American threat actor, detailed in a 2015 Citizen Lab report as Packrat.