Cyber Attackers Exploiting COVID-19

Increased teleworking has provided bad actors with the opportunity to exploit potentially vulnerable services, such as virtual private networks (VPNs).  The attacks may take several different forms.  The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) outlines attacks and suggested steps to prevent them.  Note that this is not an exhaustive list of all potential attacks that may occur.

Cybercriminals are using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities and deploying a variety of ransomware and other malware. Threats observed include:

  • Phishing, using the subject of coronavirus or COVID-19 as a lure,
  • Malware distribution, using coronavirus- or COVID-19- themed lures,
  • Registration of new domain names containing wording related to coronavirus or COVID-19, and
  • Attacks against newly deployed remote access and teleworking infrastructure.

The objective in many schemes is to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:

  • Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware.
    • -For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access, which is then used to install “CovidLock” ransomware on their device. 
  • Open a file (such as an email attachment) that contains malware.
    • -For example, email subject lines contain COVID-19-related phrases such as “Coronavirus Update” or “2019-nCov: Coronavirus outbreak in your city (Emergency)”

To create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with “Dr.” in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization’s human resources (HR) department and advise the employee to open the attachment. Malicious file attachments containing malware may be named with coronavirus- or COVID-19-related themes.

Exploitation of New Teleworking Infrastructure

Many organizations have had to rapidly deploy new networks and remote work in response to the COVID-19 epidemic. This includes VPNs and related IT infrastructure to shift their entire workforce to teleworking. Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, actors have been observed scanning for publicly known vulnerabilities in Citrix. Similarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. 

Malicious cyber actors are also seeking to exploit the increased use of popular communications platforms—such as Zoom or Microsoft Teams—by sending phishing emails that include malicious files with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# representing various digits that have been reported online). In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.   For more information regarding teleconference attacks and security, click here.

The surge in teleworking has also led to an increase in the use of Microsoft’s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online. The increase in RDP use could potentially make IT systems—without the right security measures in place—more vulnerable to attack. 


Malicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception.  Malactors are using the desire for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant. For information regarding the COVID-19 pandemic, use trusted resources, such as the Centers for Disease Control and Prevention (CDC), WHO, local public health departments, reputable news sites, etc.

Phishing Guidance for Individuals

The following are tips for you and your staff to recognize a phishing scheme:

  • Authority– Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.
  • Urgency– Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
  • Emotion – Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
  • Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.

More details on the types of phishing attacks being deployed and how to protect against them may be found in the full CISA alert at the link below.

CISA and the NCSC have developed the following resources to which you can direct your IT vendor/department/specialist for help in protect your organization from these types of attacks:

Refer here for the full document: