COVID-19 (coronavirus) Malware: New OT and IoT Security Tools

Updated April, 14, 2020

The world has changed dramatically over the last few months. At the end of 2019, almost no one knew that SARS-CoV-2 existed. Now the virus has spread to almost every country, infecting at least 1M people that we know about, and many more that we do not.

Thinking about the pandemic, I reflected on the family-like culture and deep teamwork that characterizes Nozomi Networks. I see the world in the same way: one single team fighting for the same result.

All of us have a role, and all roles are equally important. Everyone can make a difference by using their strongest skills to help address the tremendous threat posed by the coronavirus.

Furthermore, over the last week I’ve talked with many of you who are working hard in your organization. You’re striving to maintain, and if possible, increase the cybersecurity level that you’ve achieved through years of effort.

To assist our customers, and the world in general, tackle new cyber threats that are capitalizing on coronavirus fear, uncertainty and doubt, Nozomi Networks is taking action to help. We’re providing free training, threat intelligence and community tools to facilitate ongoing high levels of OT and IoT security.

Coronavirus-Themed Malware Attacks

Let’s look at how the pandemic has rapidly changed the threat landscape. One example is the recently released warning issued by the World Health Organization (WHO) about phishing campaigns impersonating WHO officials. The threat actor’s goal was to compromise readers by asking them to click on malicious links or open malicious attachments.

Targeting of healthcare institutions has also increased. For example, a medical facility involved in performing medical trials on COVID-19 vaccines was recently hit by the Maze ransomware. While the organization’s computer systems were quickly restored without affecting operations or succumbing to the threat actor’s demands, some patient information was exfiltrated and leaked online.

Furthermore, cyber criminals have begun selling COVID-19-themed phishing kits to those looking for easy ways to infect users. For example, a replica of the Johns Hopkins University coronavirus tracking map was modified by attackers to contain malware. Various nation-states have also started using similar techniques to increase the effectiveness of their attack campaigns and further their goals of stealing sensitive information and intellectual property.

Remote Work Environments and Added Stress Create Security Gaps

To contain the pandemic and “flatten the curve”, millions of people around the world have suddenly become work-from-home employees. Outside of the normal IT environment, a single mistake by an employee could potentially jeopardize a company’s data. During stressful situations, team members might simply be less dilligent about security practices, and therefore more susceptible to attacks.

While the COVID-19 crisis deepens throughout the world, threat actors will continue to look for new ways to exploit human nature for their own gain. It has never been more important to train employees on how to properly identify social engineering and spear phishing attempts, and review OT and IoT security practices to ensure you’re able to proactively identify anomalies, and detect and respond to attacks.

Coronavirus OT and IoT Security Training and Tools

To play our role in the fight against the pandemic, we’re providing free training, threat intelligence and community tools that specifically address COVID-19 security threats.‍

‍Threat Intelligence
‍We’ve created a new webpage and new GitHub downloads that provide Indicators of Compromise (IOCs), rules, and other information for COVID-19 related cybersecurity threats.These resources will be continuously updated with new information.

‍Community Tools
‍Our free Guardian Community Edition uses passive network monitoring to provide visibility to OT and IoT assets. It’s a good starting point for improving cybersecurity for critical systems.GCE supports assertions (queries) that check for COVID-19 related IOCs in your network, such as communication with malicious IP addresses and URLs.It also helps with remote access security monitoring using assertions that check the number of simultaneous remote connections and generating alerts if the number surpasses a threshold.

For our customers, the Nozomi Networks Threat Intelligence service is working with our Guardian solution to quickly detect and respond to emerging COVID-19 inspired and many other threats. We have recently added many IOCs and assertions, and will continue to do so.

OT and IoT Security Can Be Improved Despite the Coronavirus

As the COVID-19 crisis deepens throughout the world, threat actors will continue to look for new ways to exploit human nature for their own gain. It has never been more important to:

• Rapidly detect and respond to threats
• Train employees on how to properly identify social engineering and spear phishing attempts
• Review your OT and IoT security practices to ensure you’re able to proactively identify anomalies

I sincerely hope that the COVID-19 security information and tools we’re providing make it easier for you to ensure your organization has high cyber resiliency.

¹ MITRE I ATT&CK: Techniques T1189

² MITRE I ATT&CK: Techniques T1192

³ MITRE I ATT&CK: Techniques T1193

‍