Deception / 03.28.2020

Security teams must prepare their organization to attackers taking advantage of coronavirus

The new coronavirus strain (COVID-19) that emerged in China represents a business disruption and means turmoil for employees and work. As any significant change or disruption to the business operations of an organization, it also offers an opportunity for malicious cyber-actors to target organizations in new and innovative ways. Security teams must prepare for potential threats that may arise as a result, in addition to planning for resource shortages as a result of the alarming rates of the virus’ spread world-wide. This makes matters even worse, as the World Health Organization (WHO) officially declared COVID-19 a pandemic. The cyber threat is very real, the World Health Organization (WHO) recently issued a statement on their website with the title “Beware of criminals pretending to be WHO”. The UN took similar measures and published an advisory on the 29th of February, advising citizens to be vigilant of such phishing attempts.

Phishing attempts specifically targeting the Coronavirus scare

Spear-phishing is a known technique to trick a user into visiting a malicious website, which often tries to exploit popular software (browsers, extensions, plugins etc.) and execute malicious payloads on their systems. These kinds of payloads, typically known as ‘drive-by installers’ are an early-stage attempt to create a much larger problem for organizations. Many believe that phishing is propagated through email campaigns like EMOTET, but this isn’t always the case.  In the case of the Coronavirus outbreak, it’s also possible to get infected with malware spread by fake news websites that use BlackHat SEO to lure visitors. Some of these malicious websites pretend to be “live trackers” for the virus’ spread. Once the malware is downloaded and executed on a victim’s machine, it is undetectable and unnoticeable to the user for extended periods of time most of the times. There is an even greater risk for your organization if those users are remote workers, as perimeter firewalls/network gateways typically do not detect lateral or horizontal movement attempts after the system is connected to the corporate network.

A security researcher named RedDrip7 has identified an on-going campaign appearing to originate from the Center for Public Health in Ukraine, (while also impersonating the WHO trademark as a decoy) which lures unsuspecting users into opening a malicious Word .doc file with an embedded malicious Macro and a C# payload:



In particular, there is a rising number of spear-phishing attempts aimed towards Italian users and organizations. Various malware samples have been picked up by security teams world-wide and are currently being spread over email:

Name: f21678535239.doc
Size: 544266 bytes (531 KiB)
SHA256: 8EB57A3B520881B1F3FD0073491DA6C50B7284DD8E66099C172D80BA33A5032

Name: f21678535350.doc
Size: 544266 bytes (531 KiB)
SHA256: 3461B78384C000E3396589280A34D871C1DE3AE266334412202D4A6A85D02439

“Dear Lord/Lady,

Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!


Dr. Penelope Marchetti (World Health Organization – Italy)”

The malicious sample above follows the standard drop-by installer/macro pattern, and after unpacking the payload, there are over 9000 lines of JavaScript code being executed on a victim’s machine:

Dealing with an increased activity of remote employees

Furthering on what we noted above – remote employees create greater risk for organizations.  These remote machines are a conduit to corporate assets.  Especially for those users that are connected to a VPN, you are essentially at risk for lateral movement from a compromised machine which connects to the corporate domain. Such risks include Remote File Copy, SSH access to servers, RDP access to Domain Controllers, Exchange Servers, ERP, QMS, HR and other Core Systems – all items outlined in the MITRE ATT&CK / Kill Chain Frameworks. Deploying a Deception solution inside your network perimeter will immediately notify you if a breach has occurred, without any false positives, while also providing the telemetry required to outline the severity of breach involved and its audit trail.

We identified the following major risks of working remotely during this period:

  • Use of insecure systems: Employees who do not normally work remotely and are not provided with company owned and maintained laptops are at exceptional risk of using their own (un-patched) home computers and potentially insecure personal emails to continue performing their duties. Even if the company has a VPN infrastructure for remote work, it might not be able to sustain the increased traffic load, forcing employees to use insecure “work-arounds” to meet their delivery requirements, potentially working on sensitive documents using unapproved software, which could provide attackers with access to not only internal corporate infrastructure, but also to sensitive information.
  • Isolation: If employees receive a suspicious email or see a suspicious social media post while working remotely, their natural tendency is not likely to notify another employee or the IT department, the communication/physical barrier becomes apparent. In an office setting, it’s easy to speak directly to a co-worker and ask what their opinion is, but unless all staff is well-trained and vigilant when working remotely, such spontaneous interaction is less likely.
  • Reduced efficiency and effectiveness: Unless a company has very robust and tried-and-tested business continuity plans, the sudden requirement to do so will inevitably reduce their effectiveness and efficiency. Many daily functions that are usually conducted in person now necessitate IM, emails, or phone calls, and the complexities of working from home (kids, pets, and other domestic responsibilities) will almost certainly cause employees to be much more distracted. This applies not only to client-facing staff, but also to the security teams, who might not be able to gain access to the monitoring and incident response systems without creating gaps in the border perimeter firewalls.

The best way to mitigate these risks when working remotely is to practice extensively ahead of time. If a business has not rehearsed remote operation, there are still several things that can be done to minimize their risks. Even if these processes are not in place and are being established for the first time, they will still make a big difference and will prepare your team for continuity of operations / remote work in the future.

For Remote Meetings

  • Identify meeting controllers and let them control the meeting
  • Take role as people sign on. Expect the same level of attendance and timeliness that you would in a physical meeting. In general, don’t restart the meeting and re-cap everything that has been said if a participant joins later.
  • Establish an agenda and stick to it.
  • Share information up and down the participant list.
  • Use chat windows to record key items and share ideas / questions to avoid interruptions. Periodically review chats to see if they need to be addressed
  • Establish mechanisms for reporting mission-critical work that employees feel has to be done, so a secure solution can be found rather than leaving employees to come up with their own workarounds
  • Establish a reporting system and delegate responsibilities so that any suspected security breaches / penetration attempts that employees discover while working remotely can be dealt with immediately

For Remote Work

  • As rapidly as possible, establish processes so people with insecure systems can submit work that’s been developed “outside of the firewall.” It may be as crude as scanning documents with an OCR program, but it will prevent additional risks of intrusions coming from outdated personal machines.
  • Enforce security policies and role-based access control across the corporate domain
  • Ensure comprehensive logging and monitoring solutions are in-place
  • Make sure that Endpoint Protection and MDM is deployed across the organization and any non-compliant devices are not permitted inside the perimeter
  • Consider enforcing the use of two-factor authentication to validate access privileges.
  • Use this opportunity to educate staff about cybersecurity, securely working from home and to review business continuity/disaster recovery plans.

Dealing with services and actions previously requiring physical access to become remote

Stack consolidation is a theme spanning multiple verticals and industries.  We see prospects & customers wanting to reduce their security footprint, while getting more value in what they own.  The reason stack consolidation is a priority is because of the horsepower to install, maintain and leverage these disparate solutions, often times unable to share telemetry data.  As a result, a SOC team is understaffed, overwhelmed and is inundated by too many alerts, false positives and tech fatigue. Combine these factors with the constant flood of news about the virus spreading constantly and an increasing number of human deaths, the emotional factor greatly reduces their ability to remain focused on protecting your assets. Organizations should actively consider utilizing solutions that introduce cross platform integrations across their security product stack, this allows organizations to effectively automate as well as mitigate threats during normal business operations as well as a health crisis.

Click here for a PDF version of this post to share with others.

Learn more about our unique approach to Deception

Discover why more than 300 global customers call TrapX "simple, powerful, and affordable."