Another week of coronavirus means another week of cyber activity regarding coronavirus. Today we bring you some scam highlights, key developments, and interesting research. We start off with some intriguing COVID-19 Key Developments from risk intelligence organization Flashpoint, including government responses, law enforcement actions, cybercrime activity related to coronavirus, and trends in mis/disinformation.

RDP attacks spike. With organizations rushing to open up remote access to support work-at-home staff, attackers have not been shy about exploiting insecure RDP (remote desktop protocol) configurations to compromise corporate resources. Cybersecurity firm Kaspersky observed at the beginning of March that malicious RDP attempts were in the low hundreds per country, per day, but the volume grew to nearly 1 million attacks per day toward the end of the month in some countries; in other countries it spiked well above the million mark. According to the report, one of the most successful attack techniques is brute force of weak credentials. Organizations that use RDP should adopt and enforce the use of strong passwords and multifactor authentication (MFA), and ensure that RDP is only accessible through a corporate VPN. Read more at SecurityWeek

TrickBot tricks. Last week we highlighted Microsoft’s analysis indicating TrickBot is the leading payload in coronavirus-related attack campaigns. This week TrickBot is still up to its usual tricks. According to IBM X-Force Security Intelligence, there is a current TrickBot campaign targeting email recipients with fake messages purporting to come from the U.S. Department of Labor (DoL). To hook the victim into clicking, the phish leverages a Family and Medical Leave Act (FMLA) theme, which gives employees the right to medical leave benefits. This lure is the perfect social engineering COVID-19 storm – it leverages COVID-19, is financially appealing, and is very personal to many who find themselves struggling during this time. Read more at Security Intelligence

Cyber fraud is alive and well. Research from cyber intelligence firm Intel 471 proves that cyber criminals do not have a heart and will exploit anything, no matter how tragic. Despite one disrupted process (money-mule networks) – for now, it appears cyber criminals are profiting handsomely from the current situation, and any potential physical virus infections among cyber criminals have not hampered their efforts. Most notable, credit card fraud is alive and well. According to Intel 471, at least one actor claimed this will make credit-card fraud easier (presumably due to more small businesses moving online). Another actor speculated the upcoming global economic recession (and resultant unemployment) will make it easier to recruit low-level accomplices such as money mules, which will likely more than make up for the current disruption. In complementary research, Europol also takes a look at what the cyber criminal landscape will look like after COVID-19. Read the findings at Intel 471

Cyber defense approach for SLTT. Cybersecurity firm Tenable suggests a “whole of state” approach to the cyber defense strategy for SLTTs in response to COVID. Tenable suggests the more a state can take a team approach, get buy-in at all levels to the concept of collective defense, and even go a step further to include academia and the private sector, the better all organizations within that state can defend against cyberattacks to any one of them – and they can all reap benefits in lower costs and improved cybersecurity posture. This “whole of state” approach is also a great use-case for information sharing organizations, such as WaterISAC. When peers come together in an information sharing community to share active defense strategies the community is stronger as a whole. Read more at Tenable