COVID-19 / Coronavirus phishing is on the uptick and will likely remain a primary theme/lure for many months to come. This blog post makes recommendations as far as COVID-19 specific phishing and other threats brought on by increased teleworking.
Has the Threat Changed? Kind of. There is a great sense of urgency surrounding COVID-19 / Coronavirus. This urgency increases the likelihood the average person falls victim to phishing. Attackers know this and therefore we expect and are observing an increase in targeting using COVID-19 and Coronavirus themes/lures. Additional themes/lures will likely also increase in usage and effectiveness against victims surrounding telework.
However, as far as the techniques and tactics in use by adversaries in phishing attacks, things are largely the same.
In this blog post we will cover some aspects of phishing, what we expect to see regarding coronavirus, and how you can protect your organization against the threats.
Generally, there are three primary goals of phishing attacks.
Criminals take advantage of a sense of urgency to trick their victims into executing malware on their endpoints, send money/supplies to fake charities, or to reveal sensitive information (username and password). SOC Prime expects to observe an increase of COVID-19 / Coronavirus and related themes/lures such as:
For the average organization, ransomware is currently their largest threat. Ransomware delivered through phishing often takes advantage of documents / file types that contain code (script files, office documents). Exploits are still a common threat, but are expensive, more difficult to implement, and normally not necessary.
Not all is lost once an endpoint is compromised as phishing as an attack does not sit in a silo. In order to obtain their objective criminals normally must escalate their privileges locally, then on the domain, and also move laterally to critical assets.
Typically, execution occurs almost instantly post “initial access”. Normally, this involves direct process creation via powershell, cscript, wscript, mshta, rundll32, or other techniques. Sneakier techniques such as parent-child process chain breaking (via PPID spoofing / COM) and process injection are also becoming more common.
Regardless, In a typical attack chain there is plenty to alert on.
Specifically, SOC Prime has identified the following techniques as being most common in recent phishing attacks.
At SOC Prime we are super fans of SIGMA. Our threat bounty developers as well as the SOC Prime team has released a lot of relevant content (much for free) that covers most of the ATT&CK Framework techniques. Content that generally focuses on behaviors over TTPs. That means this content works regardless of the phishing theme or lure. So, if you install this content it will be able to help you during the next crisis being used in phishing lures.
For instance, the rule “VBA DLL Loaded via Microsoft Word” will detect instances of office loading documents containing macros. The most commonly abused file type to deliver phishing contents.
We have tagged this content and more in the Threat Detection Marketplace (TDM) with “covid19_ttp”
This list is not comprehensive. However, these are some effect methods that will help protect your organization against most first stage malware attacks. If you haven’t taken one of the steps below, you should identify its impact to your organization and then test and deploy the changes that are possible.