COVID‐19 Cyber Threat Coalition – USSS Information Alert

global investigative operations centerCriminal groups are exploiting the COVID‐19 pandemic to target healthcare systems and critical IT infrastructure all over the world. The COVID‐19 Cyber Threat Coalition has created a platform to collect, assess, and share threat intelligence data to effectively prevent, detect and respond to threats.
This alert highlights those threats.

CCTC Top Indicators

A continuously updated comprehensive list of the vetted top threat indicators (domains, hashes,
IPs, and URLs) by the COVID-19 Cyber Threat Coalition can be found here:
o https://otx.alienvault.com/pulse/5e8e82183197e44938ee9eb8
o https://blacklist.cyberthreatcoalition.org/vetted/

General News & Advisories

  • The weekly COVID19 Cyber Threat Coalition Town Hall took place on Thursday 4/30. A full
    replay can be found on the CCTC YouTube channel:
    https://www.youtube.com/channel/UCHfhxcqhQADRV2h5hFgqAww  (removed)
  • EUROPOL: BEYOND THE PANDEMIC – WHAT WILL THE CRIMINAL LANDSCAPE LOOK LIKE AFTER
    COVID-19?
    o New Europol report assesses the impact of the pandemic on serious and organized crime
    across three phases
    o https://www.europol.europa.eu/newsroom/news/beyond-pandemic-what-will-criminallandscape-look-after-covid-19
  • Cyber Shield Bulletin – April 30, 2020
    o https://slack-files.com/files-pri-safe/T01029239SBF0131H5NTN0/cyber_shield_043020.pdf?c=1588326076-08db40b2f9dd584b
  • Criminals Quick to Exploit COVID-19 Crisis in Europe
    o https://www.securityweek.com/criminals-quick-exploit-covid-19-crisis-europe
  • Michigan Man Charged With COVID-19-Related Wire Fraud Scheme
    o https://www.justice.gov/usao-ndca/pr/michigan-man-charged-covid-19-related-wirefraud-scheme
  • Measuring Abuse: How Much COVID-Related Abuse Is There, Really?
    o http://www.circleid.com/posts/20200430-measuring-abuse-how-much-covid-relatedabuse-is-there/

Indicators of Compromise

  • COVID-19 fraudulent domains, malware hashes, and emails
  • Indicators include 200+ domains/URLs/hostnames, along with 4 hashes, which can be found at
    this link: https://otx.alienvault.com/pulse/5eaad977d4146a7212cbe3b0

COVID-19 fraudulent domains, malware hashes, and emails

Email Threats

  • Email Addresses tied to Coronavirus “test-kits” and “N95 surgical masks” scam
    o Indicators include 1 domain, 1 hostname, and 36 emails, which can be found at this link:
    o https://otx.alienvault.com/pulse/5eaac9d9fc8c9733c7bc92cb
  • Here is a bucket of email addresses, about half of which are tied to a list of 39 domains found
    earlier this week, which were posted to the anti-fraud/ anti-BEC forum StopScamFraud (Medical
    Scams). These are all tied to a scam advertising N95 face masks and Coronavirus test kits.

bucket of email addresses, about half of which are tied to a list of 39 domains

If anyone has any information related to this alert, the GIOC can be contacted at GIOC@usss.dhs.gov.

Sources & Additional Resources:

 

Is your company hit by a Cyber Crime? Contact LIFARS today for 24/7 help, more information and guidance!