Skip to main content


Threat Advisory: COVID-19 Exploited By Malicious Cyber Actors

Threat Advisory: COVID-19 Exploited By Malicious Cyber Actors

As COVID-19 continues to affect the world, and everyone is adapting to a global pandemic, cybercriminals and Advanced Persistent Threat (APT) hacking groups are adapting as well. Both VISA and NCSA are seeing a growing use of COVID-19 related themes by malicious cyber actors. A massive increase in remote working has also led to organizations being more vulnerable to cyber-attacks on numerous fronts, including the use of VPN and RDP from home users to access corporate networks, outdated or insecure equipment and devices being used on home networks, and fewer restrictions on web browsing for home users.


Who Can Be Affected?

During times of heightened fear or calamity, bad cyber actors target everyone - from large corporations to small organizations to everyday people with a phone - by sending phishing emails and malicious SMS messages. Phishing is up 667% over the last 2 months, and SMS phishing text messages luring recipients to check the status of their stimulus checks or "you've crossed paths with someone infected with COVID-19" have begun popping up on cell phones.

APT groups, on the other hand, target high-value, more-apt-to-pay organizations. Hospitals and health organizations in the United States, Spain, and across Europe have all been affected by COVID-19 ransomware incidents. Ransomware as a whole is up 148% in 2020. Attacker scans of Remote Desktop Protocol and home networks have increased by nearly 40% since the work-from-home movement began.


How Does This Attack Work?

APT groups are centering their attacks around COVID-19. These hackers are using the pandemic for commercial gain, deploying a variety of ransomware and other malware. These types of attacks will certainly continue in the upcoming weeks and potentially could have a huge impact on organizations worldwide. Phishing is the most common method being used. These types of attacks employ coronavirus-themed SMS phishing messages, regular phishing emails, and COVID-19-related applications, using trusted sources such as legitimate government websites for up-to-date, fact-based information about COVID-19. Using real COVID-19 details as a "lure," messages about fake safety precautions or fake coronavirus updates can lead to a phishing website or the downloading of malware. 

Malicious cyber actors are spoofing sender information in emails to make it seem as if it is coming from a trustworthy source, including the World Health Organization (WHO) and the Center for Disease Control (CDC). Cyber actors are also spoofing human resource (HR) departments to target people, advising employees to open attachments that could contain malware.


Social engineering techniques have all been in play, and the following are the most common examples of phishing email subject lines:

  • 2020 Coronavirus Updates
  • Coronavirus Updates
  • 2019-nCov: New confirmed cases in your city
  • 2019-nCov: Coronavirus outbreak in your city (Emergency)

These phishing emails have information that encourages victims to click on malicious links, leading to websites that steal personal information or persuade victims to download a malicious email attachment.


SMS Phishing

Not all phishing attempts have come through email, but through SMS (text message) as well. Attackers are sending text messages stating that "an organization has issued a payment of a certain amount to all residents, please click on this link" or "Your stimulus check is pending acceptance – click here to claim." The link could lead to a malicious website that could steal your information.

Remember: organizations, especially financial institutions, won't text you to claim funds… ever. Stimulus checks do not require confirmation or your account details.


Exploitation of New Remote Working Infrastructure

With the growing use of remote working, new applications, VPNs, and IT infrastructure are being deployed in different organizations that have never utilized remote working prior to the pandemic. Attackers are taking advantage of this by finding known vulnerabilities on the infrastructure that is being implemented.

In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Both CISA and NCSC offer guidance on and continue to investigate multiple instances of this vulnerability's exploitation.

Remote Desktop Protocol is also actively being attacked. One of the most significant and commonly-unpatched vulnerabilities used by hackers is CVE-2019-0708, also known as BlueKeep. BlueKeep allows an attacker to exploit a vulnerability in unpatched RDP protocols to perform remote code execution on an unprotected system, potentially giving the attacker persistent access to a network.

Lastly, vulnerabilities in networking hardware are leading to network compromises around the globe. Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. Attackers are also compromising Linksys Smart Wi-Fi accounts via credential stuffing and changing home routers' DNS settings.


What Can You Do?

The Cybersecurity and Infrastructure Security Agency (CISA) warns people to stay vigilant for scams related to COVID-19. Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes.

CISA encourages people to stay vigilant and take the following precautions:

  • Avoid clicking on links in unsolicited emails and be wary of email attachments. 
  • Use trusted sources such as government websites, for up to date, fact-based information about COVID- 19.
  • Secure systems that enable remote access.
  • Test Remote Access solutions capacity or increase capacity.
  • Enhance system monitoring to receive early detection and alerts on abnormal activity.
  • Implement multi-factor authentication.
  • Ensure continuity of operations plans or business continuity plans are up to date.
  • Increase awareness of information technology support mechanisms for employees who work remotely.


During this global pandemic, the last thing any organization needs worry about is malicious actors compromising your network or dealing with a data breach. Cybersecurity is more important now than ever, so please continue to pay attention to cybersecurity threats, remind your employees about cybersecurity risks, and stay vigilant.


Written by: 
Edin Y Cordona and Jon Waldman
SBS CyberSecurity


SBS Resources: 


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, April 23, 2020
Categories: Blog