As the coronavirus pandemic spreads rapidly across the globe, a panic-stricken populace already confined to their homes, faces the emerging threat of COVID-themed cyber attacks. The trend of recent cyber crimes indicates a spike in the number of COVID-related malicious domains, malware attacks, as well as phishing campaigns. As a result, organizations are left with the daunting prospect of securing their assets, and that of their clients, against adversaries profiting from the pandemic. Without an effective strategy, or the right intelligence, it will be impossible to ward off such attacks.
In this article, we have consolidated popular open source threat intel resources that can help you combat COVID-themed cyber attacks. These open source resources provide the latest intelligence and observations on cyber threats to alleviate the impact such attacks could have on the global community.
COVID-19 Cyber Threat Coalition
Cyber Threat Coalition (CTC) is the result of combined efforts of around 3,000 security professionals who gather, analyse, and share intelligence pertaining to new COVID-themed threats. At present, the largest contribution of COVID-themed datasets are produced by CTC. Moreover, they prioritize and defend essential services and the front-line medical sector, against threats. The telecommunication sector is also a part of essential services, as more people shift to remote work.
How does CTC alert organizations?
- Typically, they examine millions of data points contributed by organizations or individuals, and run the indicators through several security products.
- If at least 10 of these security products identify the data point as a threat, CTC volunteers manually verify such findings and add malicious feeds to its Blocklist. If only 5-9 security product vendors identify the data point as malicious, they will be manually verified as malicious feeds before adding them to the Blocklist.
- This Blocklist helps organizations and individuals, across the globe, block malicious traffic arising from fraudulent activities.
- Additionally, they have a Beta MISP feed that details the various threat indicators (accessible to those who have set up MISP).
How can you contribute?
- CTC maintains a Slack workspace, the invitation for which is available on their official website. This workspace is for researchers who may have information regarding COVID-themed cyber attacks. In addition, they also have a slack room to announce updates, and new developments: #ctc-official-announcements
- Their Alienvault open threat exchange (OTX) also gathers data feeds from researchers. CTC considers Alienvault OTX as their primary source of raw data feeds. They are encouraging anyone with high quality threat intel, to join this platform.
Here is the CTC Blocklist for vetted malicious domains and IP addresses:
COVID-19 CTI League
This is a collective of experts and Incident Responders, from across 40 countries, which gathers COVID-related threat intelligence. Senior Microsoft and Amazon officials are also part of this team. CTI League is geared towards neutralizing cyber threats against the front-line medical sector and critical infrastructure.
How is the medical sector benefiting from the CTI League?
- CTI accepts IR (Incident Response) requests from organizations, to detect security incidents and keep them in check. To achieve this, the CTI League connects with researchers and analysts from 22 different time zones. Volunteers help the community find the most appropriate individuals who can secure medical institutions and resources in their location.
- They assist in taking down websites, web pages, or files from the internet, and escalate cyber attacks, malicious activities, or critical vulnerabilities, to law enforcement agencies and national CERTs.
- They provide reliable databases, of high-priority indicators of compromise, that help the medical sector investigate and block malicious activities.
Cyber Threat Alliance
(https://www.cyberthreatalliance.org/)
This is a not-for-profit membership organization that focuses on phishing lures and malware attacks. They help thwart attempts to harm the medical sector, in the time of this unprecedented crisis.
What are they offering?
- ~135,000 STIX packages of intelligence. Each data point will have an average of two accompanying contexts.
- Packages that include datasets/ observables and Tactics, Techniques, and Procedures (TTPs) across different stages of the cyber attack.
- Observables include files, domain names, addresses, and Uniform Resource Identifiers (URIs).
- More than 50 TTPs, from handy knowledge bases of MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC) and Adversarial Tactics, Techniques, and Common Knowledge (ATT&CKTM), help you understand the adversaries’ attack patterns and the attack mechanisms..
- CTA Membership that grants access to validated and curated threat intelligence.
PhishLabs
(https://www.phishlabs.com/covid-19-threat-intelligence)
Phishing is the most common cyber threat. And even as the world tries to make sense of the coronavirus epidemic, scammers are busy cashing in on the fear and anxiety. PhishLabs, a team of cybersecurity experts, combines their efforts to provide free resources of Coronavirus-related threat intelligence, with their primary focus on phishing attacks.
What have they got to offer?
Their database is updated with the latest on COVID-themed phishing email, malicious URLs, and domains. They present and share the data in a zip file containing phishing lures (as image files), and phishing URLs (in .xlsx format).
Checkphish: Coronavirus Scam Tracker
(https://checkphish.ai/coronavirus-scams-tracker)
Checkphish maintains a global dashboard that tracks the latest Coronavirus-themed phishing scams. The results are classified into scams and suspicious sites. Moreover, for each website, it provides scam feeds in the .tsv format.
Sample: https://checkphish.ai/data/covid_feed.tsv
The dashboard also allows you to run free URL scans to identify malicious websites. For each queried domain and the domains which are already in the list the dashboard also incorporates website screenshots, Passive DNS (of hosts and domains hosted on given IP), details of similar domains, and their WHOIS information.
MISP
(https://covid-19.iglocska.eu)
Malware Information Sharing Platform (MISP) is an open source threat intelligence platform. They provide IDS signatures for COVID-19 cyber intrusions in various formats such as: STIX, STIX2, Text, csv, etc., They also allow users to automate the process of collecting information. Researchers and interested parties are only required to send a direct message to the team to access https://covid-19.iglocska.eu/.
RiskIQ
RisqIQ PassiveTotal offers access to RisqIQ datasets such as passive DNS, extensive DNS data, WHOIS registration details, and SSL certificate details. And, as a response to the rising number of COVID-themed cyber attacks, they also share lists of Coronavirus-related domain names that contain ‘covid’, ‘coronav’, ‘vaccine’, ‘pandemic’, or ‘virus.’ These may or may not be malicious. To facilitate an investigation into these domains, interested analysts are allowed 30-days access to use PassiveTotal, RiskIQ’s threat research platform.
Links to the lists of COVID-themed domain names:
https://covid-public-domains.s3-us-west-1.amazonaws.com/list.txt (consolidated list)
https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-YYYYMMDD
https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-20200420
RisqIQ Dashboard: https://community.riskiq.com/
Github CTI league Repo
(https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE)
A GitHub repository, dubbed as COVID-19-CTI-League, also shares vetted, approved IOCs of COVID-themed cyber attacks. Even though the name of the repository resembles the community CTI League (discussed earlier), they aren’t related.
Independent Researchers And Feeds
Although we have listed out the big names in cyber security, it is important to know that there are individual researchers and cyber security bloggers committed to resolve and neutralize the attacks surfacing during the epidemic. They share their analysis and findings on social media platforms such as Twitter. Here are some of them:
@dustyfresh
Twitter user DustyFresh has set up a feed, updated every 30 seconds, which scans for new COVID-related hostnames discovered in certificate transparency logs. He uses keywords coronavirus, covid19, covid-19, covid, pandemic, etc.
Although most of the domains in this list are considered malicious, it is upto researchers to figure this out.
@sshell_
Another researcher who goes by the Twitter handle @sshell_ created a real-time dashboard of malicious websites. This dashboard leverages RiskIQ’s feed (mentioned earlier) and lists COVID-themed malicious domains in real-time.
@LukasStefanko
Independent researcher and ESET mobile malware analyst, Lukas Stefanko, tracks COVID-related malware attacks that target Android users, on a daily basis.
Threatfeeds.io
This is another open source threat intelligence platform that gathers Indicators of Compromise from various sources. It allows users to download data for free.
MalwareBazaar
(https://abuse.ch/blog/introducing-malwarebazaar/)
Abuse.ch provides free malware samples that are easily downloadable. MalwareBazaar hopes to help researchers understand malware samples and use the intelligence for further analysis.
Advisories
The official Twitter accounts of government agencies are also provide regular updates on the latest scams and scamming tactics:
@CyberDost
Indian Ministry of Home Affairs offers tips and advises the public on safe internet practices, through its Twitter handle @CyberDost and its official website National Cyber Crime Reporting Portal. These platforms can also be used to report any malicious cyber activity that you come across.
@Europol
This is the Twitter handle of European Union’s Agency for Law Enforcement Cooperation. Europol shares recent trends in cyber attacks and scams themed after the Coronavirus pandemic.
