A hacking group has launched a malicious phishing campaign that spoofs the Small Business Administration COVID-19 loan relief website for credential stealing and malicious redirects.
August 13, 2020 - The Department of Homeland Security Cybersecurity and Infrastructure Agency released an alert, detailing an ongoing phishing campaign spoofing the Small Business Administration (SBA) COVID-19 loan relief website to steal credentials and redirect users to malicious websites.
The alert also contained a list of the indicators of compromise (IOCs).
CISA is currently tracking the campaign, which is sending emails that contain malicious links tied to the spoofed SBA webpage. The emails have been sent to a range of Federal Executive Branch, and state, local, tribal, and territorial government agencies.
As seen in a longstanding data breach at the Minnesota Department of Human Services in 2017 that stemmed from a massive phishing campaign, these agencies are typically strapped for both resources and staff making it hard to quickly detect intrusions.
In the latest phishing campaign, the subject line includes “SBA Application – Review and Proceed” and is sent from the email address firstname.lastname@example.org. The messages urge the user to click on a hyperlink masked to appear tied to the SBA, but actually redirects the user to the malicious website.
The website contains a login page with a header that mimics the legitimate SBA site. When users input their information into the login form, the hacker is then able to harvest the credentials.
Hackers commonly steal credentials to use in later attacks, including brute-force attempts on vulnerable endpoints —an attack method that has drastically increased amid the COVID-19 pandemic. Stolen credentials are also used for account takeover. A previous DHS CISA alert warned of a new ransomware campaign that leverages stolen credentials to gain access through remote access systems.
Research shows there are currently 15 billion stolen credentials for sale on the dark web, stolen from more than 1,000 data breaches in the last two years.
To prevent falling victim to these serious attacks, CISA provided best practice guidance to bolster the overall security posture of the enterprise.
To start, administrators should include warning banners for all emails sent from outside of the organization. User permissions should be restricted from installing and running unwanted software applications, while only necessary users should be added to the local administrators group.
Systems must maintain up-to-date antivirus signatures and engines. Administrators should also ensure systems are operating under the latest security updates, along with enabling a personal firewall on agency workstations configured to deny unsolicited connection requests. Unnecessary workstation services and servers should also be disabled.
Administrators should employ tools for scanning and removing suspicious email attachments, which can ensure the scanned attachment is in its true file type. And all downloaded software should be scanned prior to its execution.
Users’ web browsing habits should also be monitored, while restricting access to any unfavorable content. Administrators need to maintain situational awareness when it comes to the latest threats, implementing strong Access Control Lists.
Healthcare organizations can review the identity management framework from the Health Information Sharing and Analysis Center to understand how to better manage identity and access controls across the enterprise.
Meanwhile, file and printing sharing services should be disabled when possible. If required, the services must require the use of strong passwords or the use of Active Directory authentication. A strong password policy must be applied across the enterprise.
Employees must be trained to exercise caution in opening any email attachments, even if the email was expected or the sender appears known to the user. Training should also include information about the need to exercise caution when using removable media, such as USB thumb drives.
Configuration changes should be reviewed prior to implementation to avoid any unwanted impacts. CISA also recommended the use of its free vulnerability scanning and testing service designed to support organizations that leverage internet-facing systems.
HEALTHITSECURITY - By Jessica Davis