Seyfarth Synopsis: In the past week, the cybersecurity community has seen a dramatic increase in the number of attacks being made on healthcare organizations around the globe. Despite the despicable nature of these attacks by malicious attackers trying to get rich off the suffering of others, there is a force of good that’s arisen from the cybersecurity community recently to help combat the threats.

The COVID-19 Cybersecurity Threat Intelligence League was formed by Ohad Zaidenberg last week, and has quickly grown into over 900 cybersecurity experts who are volunteering their time and experience to help healthcare organizations defend against the malicious threat actors. The group is comprised of malware researchers, white hat hackers, CISOs, cyber consultants, reverse engineers, coders, software providers, etc. Seyfarth’s own Richard Lutkus is involved with the group and is helping with cybersecurity related legal issues that members have. As part of the FBI’s InfraGard Special Interest Group for Legal, Richard is helping information be shared between law enforcement (including DHS, FBI, etc.) and private sector organizations.

One of the immediately useful results of the group’s collective wisdom is a publicly available list of IP addresses, URLs, file (hashes), and domains that are known to be related to COVID malware, ransomware, phishing, or other malfeasance. The link below contains each categorical list. Network administrators or cyber professionals can use these links to help protect their networks from these growing threats. It’s likely this list will be updated frequently. The list works by helping block malicious sites and applications from connecting the victim to the threat actor. When that connection fails, the malicious intent is frustrated. Thus, even when an employee accidentally clicks a malicious link, this can serve as a first line of defense to stop the malicious website from opening.

Beyond the list above, there is a major threat that has bubbled up to the surface recently.  In our prior article, we discussed the increase in remote workers being a threat to organizations. It appears that threat is being acted upon by malicious threat actors already. Seyfarth’s cybersecurity team is aware of over 767,000 computers around the world currently online that have exposed Remote Desktop Protocol (aka “RDP”) sessions and whose login credentials are being actively sold on the DarkWeb.  Typically, this service operates on port 3389 or 3390. Normally, having this exposed to the Internet is bad enough without source-IP limitations at the firewall level. However, because of a Microsoft bug (CVE-2019-0708) from last year relating to Remote Desktop, certain unpatched systems are extremely high risk if not patched.  We are seeing many unpatched systems, unfortunately, and now we have evidence of active exploitation of those systems.

While the list of currently vulnerable and exploited systems mentioned above cannot be shared publicly, if your organization is affected, you will likely hear from DHS of the FBI. Please share the above information with your CISO, CIO, CTO, or CSO (or anyone who fills that role for your organization) so that you can better defend against these ongoing threats.