The Securonix Threat Research Team has identified new ransomware and credential stealing activity related to the Coronavirus pandemic, taking advantage of remote workforce environments. Securonix published the research this morning on their blog.
Findings include a new weaponized Word document ransomware, which is a variant of SNSLocker and is pushed to users through a malicious COVID-19 situation report. Once a user opens the document, sensitive data is immediately encrypted and payment instructions are provided.
The Threat Research Team also discovered a new malicious credential stealer implant that is pushed through different types of e-mails, including a fake COVID-19 infection notification e-mail and a COVID-19 relief e-mail. The implant steals cryptocurrency wallets and exfiltrates stolen information, among other malicious activities.
Within the findings report blog, Securonix provides detailed recommendations on combating these advanced threats and remote workforce monitoring. These recommendations are useful for security operations/SOC, IT operations, insider threat teams, and human resources.
Be sure to monitor for the following common red flags:
Unusual severity event for your VPN server device
Account authentication from a rare geolocation
VPN connection from anonymous proxy
Connection to a rare domain for a peer group followed by an executable download
Emails from typosquatted domain
Abnormal number of emails sent to a rare external recipient
Abnormal amount of data sent to a rare external recipient
Unusual VPN session length
Unusual amount of data for VPN session compared to peers
Unusual sensitive data access increase for a user
For more information and recommendations, please visit: https://www.securonix.com/securonix-threat-research-securing-your-remote-workforce-detecting-the-latest-cyberattacks-in-the-work-from-home-wfh-world-part-1/