For Flashpoint’s most recent observations visit the blog here.
The spread of coronavirus continues to have a significant impact across the world. As a result, Flashpoint has developed an Analyst Knowledge Page around COVID-19 for our clients as a way to provide an overview of findings with the opportunity to dive deeper into the data. This blog addresses key findings from Flashpoint analyst observations from this Knowledge Page with regards to event disruption, disinformation, misinformation, phishing, and malware. The Flashpoint team will continue to provide updates here.
COVID-19 Global Impact:
Virus trackers have been established by the Center for Systems Science and Engineering at Johns Hopkins University, the New York Times, and the Washington Post. An analysis of the spread of COVID-19 can be found here.
Work-from-Home Tests Business Networks, Security Protocols:
With organizations encouraging and requiring employees to work remotely, this sets a new precedent for business networks and security protocols. In response, the CDC provides guidance for business and employers to plan and respond to COVID-19.
Implications for Educational Institutions:
Over 135 colleges across the United States are closing their campuses through the end of term/spring 2020. Many of these universities have shifted to online-only classes and have asked students to vacate dorms. This week, many college athletic events have also been cancelled. K-12 schools across the country have begun to announce temporary closures as well.
Delays and Disruptions to Major Events Possible:
A number of scheduled conferences and events continue to experience delays or cancellations as a result of the virus. Cancelling events or limiting attendance is meant to prevent community spread. In addition, many professional sports across the world have announced postponed or suspended seasons, including the NBA, which made their announcement after a player tested positive for the virus.
Forbes has compiled a master list of airline change and cancellation policies.
A list of cancelled trade shows and technology conferences can be found here.
Disney and Universal Studios have announced park closures beginning this week through the end of March.
Speculation continues around the impact the outbreak will have on the 2020 Tokyo Olympics scheduled to begin in late July 2020.
Phishing and Malware Activity:
As Flashpoint reported in mid-February, threat actors began to leverage COVID-19 in phishing campaigns. Potential targets may be less likely to question the legitimacy of emails when they claim to have information related to an ongoing health crisis. Analysts strongly suggest that individuals seek information about COVID-19 from known official channels and operate with a high degree of caution when reading a message that attempts to procure personal information. This week there was an increase in reports of actors spreading misinformation narratives and coronavirus-themed documents to lure victims. Additional campaigns include:
- Coronavirus-Themed Malware: On March 12, 2020, cybersecurity groups reported on a “malware cocktail” composed of the “CoronaVirus Ransomware” and the “Kpot” data-stealing malware. To distribute the malware, attackers created a website that resembled a Windows utility site. The ransomware directs payments to a Bitcoin wallet address.
- Phishing Spoofing WHO Distributes Malware Downloader: A phishing campaign pretending to be releasing information from the World Health Organization is distributing a malware downloader that installs the “FormBook” information-stealing trojan. The email prompts readers to open a PDF file for “the simplest and fastest way to take care of your health and protect others.
- Phishing and “Trickbot”: Phishing emails containing the “Trickbot” information-stealing malware is targeting Italy with email subjects containing “important information and precautions.” The emails may contain malicious links or Word documents that require users to “enable content” to view. Once clicked, the link or file launches malicious macros that extract files to install and launch Trickbot.
- Email Pretending to Be from WHO or CDC Distributes Malware: Flashpoint reported on earlier malicious online activity seeking to exploit fears around the coronavirus. Threat actors are spoofing official organizations’ emails, such as the CDC and the WHO, and installing “Emotet” payloads and “AZORult” malware. Various coronavirus-themed documents have also been found in Korean and Vie
Tracking Cybersecurity Groups and Coronavirus-Themed Campaigns:
Cybersecurity groups continuously announce timely information about malicious online activity. Security teams tracking these developments are reporting on relevant indicators of compromise, including malicious coronavirus-themed attachments and network indicators.
Hackers are debuting new maps and coronavirus trackers to spread malware. The Johns Hopkins dashboard and the New York Times map appear to be the safest tools for tracking the spread of the virus. Most others should be used cautiously.
Misinformation Spreading through Chat Apps:
Misinformation around the virus continues—there is a near-constant stream of misinformation recommending dangerous or ineffective techniques for treating and preventing COVID-19. While some of these carry immediate physical risks—such as drinking bleach—others present threats because they are scientifically untenable or may prevent people from seeking proper medical attention. Medical misinformation may also lead to undue panic, stockpiling, and noncompliance with public health safety measures.
New Disinformation Trends:
- More Memes Used: Coronavirus-themed memes spreading misinformation have started to spread more aggressively on social media. In disinformation campaigns, memes are a widely used entry tool to widen the campaign’s. Some of these memes contain medical disinformation.
- Variations on Themes: New iterations of the disinformation master narrative suggesting the coronavirus is a manmade creation have appeared. Iranian media misquoted a former CIA officer, Philip Giraldi, to support claims that the coronavirus was produced in a lab. A video spreading on TikTok by adherents of the QAnon conspiracy theory suggested that the virus was created for the purposes of population control. The overall narrative was exacerbated by a Chinese diplomat, Zhao Lijian, claiming that he suspected the United States of being the source of the virus.
- More US Disinformation: Significantly more disinformation narratives with a local focus have emerged in the United States. These include misleading articles and social media posts (primarily on Facebook and WhatsApp) claiming that certain states are deliberately understating or hiding the number of infected or dead people and that New York City is about to shut down public transportation. A misattributed video claimed to show a New York City man dropping dead on the street.
- Struggle to Combat Foreign-Language Misinformation: Media reported that social media companies are struggling to remove medical misinformation in languages other than English, which often recycle earlier, debunked claims about home cures (for example, lemon, garlic, or onions) and embed them in messages that are ostensibly from doctors or public personalities. These narratives can represent a more substantial risk as the virus spreads in Europe and in non-English-speaking communities in the United States.
- Political and Coronavirus Narratives Blending: Political disinformation narratives have developed in conjunction with coronavirus-related disinformation. A new claim that surfaced this week is that the 2020 US presidential election might be called off or postponed due to the virus. The pandemic itself can depress turnout in elections due to social distancing. This effect can be exacerbated by disinformation campaigns.
- “SMSishing:” Flashpoint analysts have also observed an uptick in malicious links sent via text messages. These messages contain various social engineering schemes that capitalize on coronavirus concerns, including links that allegedly contain discounts for popular streaming services or request personal information for COVID-treatment.
The Newark, New Jersey, Department of Public Safety warned residents that they would face prosecution for falsely reporting cases of the virus or for spreading misinformation.
The US government has approved $8.3 billion in emergency funding in response to COVID-19.