The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

FBI Urges Vigiliance Around COVID-19 Scams, Malware

by Chris Brook on Tuesday March 31, 2020

Contact Us
Free Demo
Chat

It’s been difficult keeping track of all the scams leveraging the COVID-19 pandemic to steal your money or your personal information. Now, the FBI is warning of increased attacks that target the supply chain and the healthcare industry in addition to “Zoom-bombing” style attacks.

While hospital workers and healthcare practitioners continue to fight the ongoing COVID-19 pandemic in the trenches, agents with the Federal Bureau of Investigation have had their hands full - like a real-life game of whack-a-mole - trying to tamp down online threats, scams, and other conflicts that have emerged in the virus’ wake.

The FBI has already sent out several alerts this week, including a warning to supply chain companies who are dealing with a fairly new malware campaign and schools and businesses who are dealing with so-called "zoom-bombing" attacks - attacks via Zoom video conferences.

The malware campaign is leveraging the Kwampirs strain of malware and targeting supply chain companies and some healthcare companies, where its efforts - described as effective - have granted the attackers "broad and sustained access."

Around in some form or another since 2016, Kwampirs, malware that uses SMB to spread, has similarities with Shamoon, the data-wiping malware that's hit entities in the Middle East and is believed to be the work of Iranian hackers. While the FBI hasn't outright connected the two, it has said in February that a forensic analysis of Kwampirs revealed numerous similarities with Disttrack, another name for Shamoon.

In an alert on Monday, the FBI warned that state-sponsored hackers were using Kwampirs to target a range of industries, including “healthcare, software supply chain, energy, and engineering across the United States, Europe, Asia, and the Middle East.” The FBI also said its seen attacks against financial institutions and law firms, just less so.

"The scope of infections has ranged from localized infected machine(s) to enterprise infections. During these campaigns, the Kwampirs RAT performed daily command and control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware,” the FBI said.

While the FBI didn't disclose any particular hospitals or healthcare facilities that have been hit by Kwampirs, it is warning they're a target, especially post-COVID-19.

‘The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products," the FBI wrote, "Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”

It's the third document the FBI has published about the malware in 2020. Previous alerts have covered YARA rules to identify, sort, and classify malware, and indicators of compromise, or IOCs.

The FBI also this week warned of attackers side-stepping protections in Zoom, one of the more popular teleconferencing apps du jour with so many employees working from home now.

The FBI claims it has received reports this month of individuals joining Zoom meeting and shouting profanities, teacher's addresses, and sharing pornographic and/or hate images. While vulnerabilities have previously existed in Zoom that attackers could have used to join unprotected Zoom meetings, for the most part, it is believed attackers are simply guessing meeting codes and joining meetings that have been made public by presenters.

To prevent this, FBI is advising educators and employees – anyone who uses Zoom – to follow a series of recommendations to mitigate hijacking.

Specifically, the Boston office of the FBI is encouraging users to follow the following tips when using Zoom:

  • Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. In Zoom, change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

It’s been difficult to keep track of all of the warnings the FBI has pushed out around COVID-19 but on the whole its urging vigilance when it comes to mitigating threats dealing with the pandemic.
Over the last several weeks, the agency has warned against opening emails purporting to come from the Centers for Disease Control (CDC) or the World Health Organization (WHO), or emails offering a cure or medical advice related to coronavirus.

The FBI also warned the healthcare industry last week about how there’s been an increased potential for fraudulent activity dealing with the purchase of COVID-19-related medical equipment.

Last week, the FBI's Internet Crime Complaint Center warned of a phishing scam based around convincing victims that they were the recipients of an economic stimulus check from the government. In exchange for the money, the phishing emails sought the users' private information.

Tags: Malware

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.