This is the mobile-friendly web version of the original article.

04 May 2020

Alert Number

MI-000124-MW

1. COVID-19 Phishing Email Indicators
   1. Summary
   2. Technical Details
   3. Indicators
   4. Information Requested
   5. Recommended Mitigations
   6. Reporting Notice
   7. Administrative Note

The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors. This FLASH was coordinated with DHS CISA.

This FLASH has been released TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

COVID-19 Phishing Email Indicators

Summary

The FBI uncovered targeted email phishing attempts to harvest user credentials and compromise targets’ computer systems by exploiting fear derived from the COVID-19 pandemic. Through investigations, the FBI continues to identify multiple COVID-19 email phishing campaigns with malicious file attachments and URLs. The following associated indicators of compromise (IOCs) are being provided to assist in network defense.

Technical Details

Cybercriminal and advanced persistent threat (APT) groups are leveraging COVID-19 themed health, informational, and warning notice emails in an attempt to obtain online service credentials, e.g., Microsoft O365 accounts. These emails direct targets to click links by purporting to be online services requiring authentication. Malicious actors use these links to capture victim credentials and then redirect victims to the World Health Organization’s (WHO) Coronavirus notice. Additionally, cybercriminals and APT groups have attached archive files that contain malicious portable executables (PE) or JAVA.jar files to their phishing emails, outlined in the table below.

Indicators

Information Requested

If you or your company are targeted by a phishing campaign, please provide the FBI with a copy of the email with the full email header and a copy of any attachments. Please do not open the attachment if you or your organization does not have the capability to examine the attachment in a controlled and safe manner. Additionally, if you or your company is a victim of a cyber intrusion related to email phishing, please retain any logs, image(s) of infected device(s), and memory capture of all affected equipment, if possible, to assist in the response by the FBI.

Recommended Mitigations

• Scrutinize attachments and Website hyperlinks contained in e-mails, and do not open attachments included in unsolicited e-mails.
• If an email or email attachment seems suspicious, don’t open it, even if your antivirus software indicates that the message is clean. Attackers are constantly releasing new viruses, and the antivirus software might not have the signature.
• Be wary of unsolicited attachments, even from people you know. Cyber actors can “spoof” the return address, making it look like the message came from a trusted associate.
• Save and scan any attachments before opening them. Turn off the option to automatically download attachments. To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option and disable it.
• Implement application whitelisting to block the execution of malware, or at least block execution of files from TEMP directories, from which most phishing malware attempts to execute.
• Install and regularly update anti-virus or anti-malware software on hosts.
• Implement an update and patch management cycle. Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected systems for known vulnerabilities and software processing Internet data, such as Web browsers, browser plugins, and document readers.
• Implement an incident management system and prepare an incident response plan for rapid deployment in case of a cyber intrusion.
• Audit and increase security controls and password requirements for all network protocols, which could be used to move laterally or gain access to a network, specifically: file-sharing protocols, such as SMB, and remote network protocols, such as RDP, SSH, VPN, Telnet, and VNC.
• Limit and audit accessible files via SMB shares. Recommend limiting SMB accessibility through Active Directory Group Policies.
• Audit privileged accounts and implement principle of least privilege, especially for administrator accounts. Routinely audit administrator and business critical user accounts.
• Monitor for SSL or TLS traffic over non-standard ports.
• Require strong password requirements for local administrators to inhibit lateral movement across workstations.
• Upgrade PowerShell to new versions with enhanced logging features and centralize logs to detect use of commonly used malware-related PowerShell commands.
• Implement a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks and should not be updated in real time.

Reporting Notice

The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by email at [email protected]. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s National Press Office at [email protected] or (202) 324- 3691.

Administrative Note

This product is marked TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

For comments or questions related to the content or dissemination of this product, contact CyWatch.