COVID-19 CTI League aims to identify, analyze and neutralize all cyber threats, but it is prioritizing defense of front-line medical resources and critical infrastructure.
More than 800 cybersecurity experts have banded together to fight coronavirus-inspired attacks.
Called the COVID-19 CTI (cyber threat intelligence) League, the community includes incident responders and industry experts from more than 40 countries. It is being managed by tech execs from Microsoft, Okta, Amazon and Clearsky Cyber Security.
Formed March 25, the invitation-only group aims to identify, analyze and neutralize all threats, but it is prioritizing the defense of front-line medical resources and critical infrastructure. COVID-19 CTI is particularly addressing ransomware attacks, like those that hit the Illinois Champaign-Urbana Public Health District website earlier this month.
“If some hospital gets attacked by some ransomware and wouldn’t be able to pay, people will die because they wouldn't be able to get the medical services needed," Ohad Zaidenberg, the group's founder and lead cyber intelligence researcher at ClearSky Cyber Security, told NBC News.
The CTI League uses Slack to coordinate identifying the active vulnerabilities hackers are exploiting and then searches for hospitals and medical facilities whose defenses are weak. "The first thing we want to do is neutralize attacks before they happen," Zaidenberg said. "The second is to help any medical organization after they are attacked."
Also key is the defense of communication networks and services that have become essential as more people work from home, CTI League Manager Marc Rogers, the head of security for the Def Con conference and a vice president at security company Okta, told Reuters. Group members are using their contacts with internet infrastructure providers to tamp down phishing attacks and financial crimes that prey on victims’ COVID-19 health and financial fears.
“I’ve never seen this volume of phishing,” Rogers said. “I am literally seeing phishing messages in every language known to man.”
Phishing scams have been enticing users to click on links to download free Netflix passes or install apps that, for a small fee, identify COVID-19-positive people nearby. Some offer a free mask in exchange for downloading an app or reimbursements for school lunches when banking details are forwarded. Others impersonate police departments and issue fines to those accused of breaking quarantine. One phishing scam even offered an anti-virus app that claims to protect computers from the coronavirus,
Additionally, scammers are sharpening their skills as they prepare to scoop up relief money from businesses and individuals. One scam directs users to fill out a “census” form on a fraudulent site, telling uninformed victims that without that census information, the government would be unable to send them a relief check.
Besides taking advantage of health and financial fears, phishing lures are targeting remote workers with emails attempting to spoof company guidance and procedures, HR correspondence and IT resources, CrowdStrike Intelligence reported. Also popular are voice phishing, robocall scams and technical support scams where phone calls, pop-up warnings or redirects try to trick users into downloading malware.
Organizations quickly rolling out cloud resources may face increased security risks as attackers search for access to software-as-a-service accounts, leverage Remote Desktop Protocol brute forcing or password spraying to gain network access. They will also attempt to compromise devices of employees working remotely, the security firm said.
“The use of nimble cloud technology, regularly configuring and patching devices, and continued security awareness training are critical strategies during COVID-19. Training and testing are essential pieces of a response strategy as government employees are often the front lines of defense and key in thwarting cyberattacks,” said James Yeager, CrowdStrike’s vice president of public sector and healthcare.
The Cybersecurity and Infrastructure Security Agency issued security guidance for organizations relying on enterprisewide virtual private networks, including testing VPNs for mass usage; ensuring VPNs, network infrastructure devices and end-user devices are patched and up to date; ramping up log reviews, attack detection and incident response and recovery activities; and implementing multifactor authentication wherever possible.