The FBI has issued a fresh warning following an increase in COVID-19 phishing scams targeting healthcare providers. In the alert, the FBI explains that network perimeter cybersecurity tools used by US-based healthcare providers started detecting COVID-19 phishing campaigns from both domestic and international IP addresses on March 18, 2020 and those campaigns are continuing.
These campaigns use malicious Microsoft Word documents, Visual Basic Scripts, 7-zip compressed files, JavaScript, and Microsoft Executables to gain a foothold in healthcare networks. While the full capabilities of the malicious code are not known, the FBI suggests that the purpose is to gain a foothold in the network to allow follow-on exploitation, persistence, and data exfiltration.
In the alert, the FBI provides indicators of compromise for the ongoing phishing campaigns to allow network defenders to take action to block the threats and protect their environments against attack.
Indicators of Compromise
Email Sender | Email Subject | Attachment Filename | Hash |
[email protected] | PURCHASE ORDER PVT | Doc35 Covid Business Form.doc | babc60d43781c5f7e415e2354cf32a6a24badc96b971a3617714e5dd2d4a14de |
[email protected] | Returned mail: see transcript for details | Covid-19_UPDATE_PDF.7z | de85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44 |
[email protected] | COVID-19 UPDATE !! | Covid-19_UPDATE_PDF.7z | de85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44 |
[email protected] | Information about COVID-19 in the United States | covid50_form.vbs | d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c |
[email protected] | Coronavirus (COVID-19) | covid27_form.vbs | d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c |
[email protected] | Business Contingency alert -COVID 19 | COVID-19 Circular.jar | eacc253fd7eb477afe56b8e76de0f873259d124ca63a9af1e444bfd575d9aaae |
[email protected] | Todays Update on COVID-19 | Todays Update on COVID-19.exe | 7fd2e950fab147ba39fff59bf4dcac9ad63bbcdfbd9aadc9f3bb6511e313fc9c |
[email protected] | World Health Organization/ Let’s fight Corona Virus together | COVID-19 WHO RECOMENDED V.exe | d150feb631d6e9050b7fb76db57504e6dcc2715fe03e45db095f50d56a9495a5 |
In addition to taking steps to reduce risk, the FBI has requested healthcare providers who have been targeted in one of these COVID-19 phishing attacks to share copies of the emails they receive, including email attachments and full email headers. If any of the attacks are successful, the FBI has requested victims retain and share logs and images of infected devices, and perform memory capture of all affected equipment. That information can be used in the response by the FBI.
The FBI warns all users to be wary about emails containing unsolicited attachments, regardless of who sent the email. Threat actors can spoof messages to make them appear to have been sent by a known, trusted individual. If an email attachment seems suspicious, it should not be opened even if antivirus software suggests the attachment is clean and does not include malware. Antivirus software can only detect known malware and new malicious code is constantly being released. The FBI also advises against allowing the automatic downloading of attachments.
Patches should be applied promptly and all software should be updated to the latest version. Additional security practices should be adopted, such as filtering certain types of attachments through email security software and firewalls.
It is also recommended to create multiple accounts on computers and restrict the use of admin accounts. The FBI warns that some viruses require administrator privileges to infect computers, so emails should only be read on an account with restricted privileges to reduce risk.
The post FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers appeared first on HIPAA Journal.