As we reported in March, the COVID-19 pandemic is being leveraged by malicious cyber actors to make various cybersecurity attacks. In a joint alert issued on April 8 by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC), the agencies provided information on exploitation of the pandemic by cybercriminals and advanced persistent threat groups and provided guidance to help mitigate these threats.

The alert identified several observed threats:

  • phishing, using the subject of coronavirus or COVID-19 as a lure
  • malware distribution, using coronavirus- or COVID-19-themed lures
  • registration of new domain names containing wording related to coronavirus or COVID-19
  • attacks against newly deployed remote access and teleworking infrastructure.


Description: Phishing is a common mode of cyberattack that has led to some of the most notorious infiltrations of data to date, including the 2016 hack into the Democratic National Committee, the Sony Pictures cyberattack by North Korea, and the Target data breach in 2013. Phishing scams rely on social engineering techniques that play on a person’s human traits to entice them to carry out specific actions. The pandemic is a situation ripe to take advantage of individuals, given society’s overwhelming concern.

Generally, phishing programs have utilized emails appearing to be from a trusted source, often using domain names with COVID-19 related wording to appear legitimate and offering financial incentives. Many instances of emails and web links containing COVID-19 related wording (e.g., “corona-virus-business-update,” “covid19-advisory” or “cov19esupport”) have been used to entice individuals to provide login credentials so that they may view the respective update. According to the joint alert, while most phishing attempts come by email, text messaging (SMS) has also been used for phishing attempts. These fraudulent messages often seek to entice individuals to click on a link or open an attachment to obtain information or apply for government-offered financial relief programs, deploying malware. The phishing attempts may also entice victims to disclose sensitive information, like Social Security numbers, financial information or user-credential information.

Possible remediation

  • Be wary of unsolicited third-party messages seeking information, even official-looking messages and links.
  • If you are suspicious of an unsolicited message, call your corporate IT organization or the business or person who sent the message to verify that the request is legitimate.
  • Provide employee training addressing specific work-from-home risks and do random phishing tests of employees to test their awareness.

Malware Distribution

COVID-19 related lures have also been deployed to distribute malware. This malware can take various forms, including key loggers, ransomware or Trojans, with the capability to provide backdoors or other means to steal personal information. In most cases, emails are used to persuade the victim to open an attachment or download a malicious file from a linked website. When the victim opens the attachment, the malware is executed, compromising the victim’s device. A few well-known malwares were identified in the joint alert, including Agent Tesla (a key logger), the GraceWire Trojan and TrickBot Trojan. In fact, Interpol has issued a Purple Notice that threat agents are targeting hospitals and related organizations with ransomware COVID-19 based attacks.

Possible remediation

  • Be wary of clicking on links or downloading attachments from unsolicited messages. Given the heightened interest in COVID-19 related information and the increase in malware distribution, it is important to think twice before clicking links.
  • If you do click on such a link, be sure to report it immediately to your IT organization.

Exploitation of Teleworking Infrastructure and VPN Technologies

Of growing concern are the attacks exploiting new teleworking infrastructure. As organizations have transitioned to remote-work capabilities, malicious cyber actors are taking advantage of known vulnerabilities across numerous platforms.

In particular, companies have increasingly used virtual private networks (VPNs) to provide employees access to internal systems. However, CISA and NCSC have observed actors scanning for publicly known vulnerabilities, like Citrix’s vulnerability CVE-2019-19781 and other know vulnerabilities affecting VPN products including Pulse Secure, Fortinet and Palo Alto.

Additionally, other popular communications platforms, like Zoom and Microsoft Teams, have been the targets of cyberattacks. Issues of eavesdropping and complete hijacking of teleconferences have been reported. The joint alert notes that attacks on unsecured Microsoft Remote Desktop Protocol (RDP) endpoints (i.e., exposed to the internet) have been widely reported online, and recent analysis has identified a 127 percent increase in exposed RDP. The rapid pace at which teleworking infrastructure has been deployed in many organizations to ensure continuity of operations increases the likelihood that vulnerabilities have yet to be remediated. Instituting multifactor authentication and VPNs can be a great help to protect remote workers.

Possible remediation

  • When utilizing VPNs and teleconferencing technologies for telework capabilities, work with your information security team to ensure security measures are properly in place to prevent known vulnerabilities.
  • Meetings using teleconferencing technologies should never use public settings, and instead should require passwords or the use of a waiting room to control the admittance of guests.
  • Strict screen-sharing settings should be utilized to ensure unauthorized individuals cannot commandeer any meeting.
  • Ensure all software, including remote access and meeting applications, are up to date.
  • Ensure telework policies address requirements for physical and information security.