How to Protect End-Users from Coronavirus-Related Cyber Threats with Threat Intelligence Feeds
17:47 09 April 2020
As the world battles the COVID-19 pandemic, coronavirus-themed campaigns are also on the rise—placing remote workers and their organizations at risk of data and, ultimately, revenue loss.
A recent report revealed that around 4,000 new domains related to the virus appeared online, with about 3% showing some signs of malware ties. The same report noted that 2,500 system infections have already resulted from just two malware strains traced back to coronavirus-related emails. Other emerging attack trends involve remote user credential theft and charity fraud. Adversaries employ email thread-jacking and weaponized documents to achieve their objectives.
Cybercriminals are known to capitalize on world events, and crises are no exception. Overall, experts observed a 600% increase in attack indicators between February and March. This unprecedented rise in threats can overwhelm security teams. Fortunately, threat intelligence feeds can aid in thwarting them from wreaking havoc in corporate networks. Let’s find out how.
How Threat Intelligence Feeds Can Help
Threat intelligence feeds provided by solutions like Threat Intelligence Platform (TIP) enables the enrichment of indicators of compromise (IoC) that come in contact with networks. In fact, TIP allows users to learn about a domain’s reputation score by performing a hosting configuration analysis. The platform checks domains, emails, and IP addresses for the following:
- IP resolution
- WHOIS records
- Website content
- Mail exchange (MX) servers
- Name servers
- Secure Sockets Layer (SSL) certificate chains
Let’s run the top-ranking domain, coronavirus[.]com in the platform as an example. Its rich snippets lend it some credibility and could fool naive users.
However, things change when we look under the hood. The TIP report preview hinted at several red flags, including the presence of malware on the site. We first encountered some lukewarm results at the beginning of the tool’s analysis. The report did not display a warning concerning the IP addresses the site resolves to. Instead, it revealed several IP addresses for its servers, which is nothing out of the ordinary.
The report also listed several domains hosted on the same IP address as the site’s behind the domain studied. A closer inspection, however, tells us that the connected domains are a little sketchy (see the screenshot below). They have nothing to do with the analyzed site nor with any healthcare or government institution.
Now let’s move on to the website content analysis part of the report. The tool flagged the site for potentially dangerous content because it enables redirects. The site then had another strike against it as it contains links recorded in VirusTotal’s suspicious URLs database.
Adding to the list of the site’s dubious characteristics is its lack of MX records and SSL certificates. The domain was also registered in a foreign country (i.e., the Cayman Islands), which is a notorious haven for tax evaders and criminal networks. A copy of the full TIP report is available here.
Based on our findings, cybersecurity specialists would probably do well to tag the domain in question as a malicious indicator of compromise (IoC) and add it to their organization’s blacklist to prevent users from accessing it.
What about other domains then? As a general countermeasure for coronavirus-themed emails, organizations can integrate threat intelligence platforms into their security information and event management (SIEM) systems and security orchestration, automation, and response (SOAR) stacks. Doing so, as illustrated in our example, would allow them to accurately and timely catch domains with similar questionable threat reports as the one presented in this post.
Cybercriminals attack when their victims are at their weakest point. However, just because the world is at a standstill doesn’t necessarily mean organizations can’t fight back. Cybersecurity solutions such as threat intelligence feeds allow organizations to raise their defenses against vicious coronavirus-related campaigns.
About the Author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.