April 2021: FB-ISAO Physical Threat Level Remains SEVERE; Cyber Threat Level Remains GUARDED

This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the continuing threat of the COVID-19 pandemic and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE. While we are greatly encouraged with ongoing vaccine distribution, we anticipate this level being maintained until vaccines are more broadly administered and the infection and fatality trends are consistently moving in a downward direction. Recent increases domestically and concerning international variants, suggest the potential for a new surge remains. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.

The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exists, particularly with respect to scams using COVID-19 vaccinations, ransomware, and revenge motivated targeting across social media. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for on-going considerations regarding the Cyber Threat Level.

• Please refer to this post for an explainer on the FB-ISAO Threat Levels.
• Please see this 15 May 2020 post regarding the distribution of the FB-ISAO Pandemic Reopening Reentry Checklist. 
• Please refer to this CDC guidance for FBOs: Considerations for Communities of Faith, which is periodically updated (this update, 19 Feb 2021).

Concerns Regarding the Physical Threat Level. 

“Our work is far from over.  The war against COVID-19 is far from won.  This is deadly serious.”

President Biden, 29 March 2021

COVID-19 Pandemic. As we continue through this pandemic, FB-ISAO continues to strongly encourage members “hold the line”. By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter, and resume operations in accordance with, and not ahead of, state, local, and national guidance, directives, and restrictions. While the start of vaccine distribution is greatly encouraging, the threat persists across the U.S. and outbreaks continue. We remain cautious. Members are advised to respect and adhere to FSLTT guidance and, given varying procedures and permissions around the country regarding vaccines distribution, to follow  local, state, and CDC guidelines. 

While new cases and deaths have been moving in a positive direction, recent data points to small increases, with concerns regarding the potential threat of variants, such as that currently devastating Brazil. As of 29 Mar, the rate of new cases has continued to more slowly increase than it had in recent months and since the last reporting period we are approaching nearly two million new cases since our last assessment (28.1 million/3 million new cases to 30.1 million total cases and from 501,181 deaths as of 24 Feb to 546,704 as of 29 Mar). As of 24 Feb, The CDC reports that national ensemble forecasting “predicts that the number of newly reported COVID-19 deaths will remain stable or have an uncertain trend over the next 4 weeks, with 2,700 to 9,600 new deaths likely reported in the week ending April 17, 2021. The national ensemble predicts that a total of 558,000 to 578,000 COVID-19 deaths will be reported by this date.”

The distribution of vaccines is aggressively underway in the United States and increasing across the globe. While this is an exciting development, the distribution, the vaccination of most Americans, and achieving “herd immunity” will continue to take some time and preventive measures are still important as we move through these next few critical months.

The CDC is tracking continued mutations and infections by type of COVID-19, with concerns regarding variants from the UK, Japan/Brazil, South Africa, and two domestic variants from California. While vaccines seem to be effective against these variants, there are concerns that a variant may exist or develop which vaccines are not effective against. Based on current trends, and the rollout of the vaccines, we are hopeful that new cases and deaths will continue to decrease at an increasing rate in the weeks ahead, but we remain cautious and recognize the real potential for progress to potentially deteriorate.  

“…the United States, which saw over 30 million cases and 550,000 coronavirus deaths, is still a ways away from herd immunity: While 93 million people – 28 percent of the country – have received at least one vaccine dose, only 14.6 percent have been fully vaccinated.” 

The Washington Post, 29 Mar 2021

The coronavirus remains an active health threat with the continued possibility for local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. While many are feeling “pandemic fatigue” and a desire to return to normalcy, a decrease in vigilance and safety will only prolong recovery and the successful return to a more open and safe environment. 

Many FBOs have begun or continued phased reopening and by applying smart practices and safety measures, they have been able to avoid new outbreaks at their facilities and among their congregations. These successes are commendable. However, recognizing success should not lead to complacency or a false sense that the threat has passed. Outbreaks can happen quickly and lead to closures and broad infections, as has been observed in communities and FBOs around the country. For those that have been successful, we encourage you to maintain discipline and hold on to your success. 

“I’m going to pause here.  I’m going to lose the script.  And I’m going to reflect on the recurring feeling I have of impending doom.  We have so much to look forward to, so much promise and potential of where we are, and so much reason for hope, but right now I’m scared.”

CDC Director Walensky, 29 Mar 2021

As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives. We encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.

Other ongoing security concerns, include:

Hostile Events and the Targeting of FBOs, Both People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FBJ, including hate crimes such as spray-painting hate symbols and the destruction of statues, arson, and stabbings, it is important to note there are often connections to other issues and events and actions at FBOs. Relating to protests and for other issues, and sometimes for no clear grievance, FBOs have been targeted with a variety of types of aggression, violence, threats, and more. This is unlikely to change in our current environment. With the consistent incidents of arson and other destructive actions, from rock throwing to IEDs, we strongly recommend FBOs review their security operations, plans, and safeguards to reflect the unique characteristics of those threats.  No cost/ low cost measures include securing or moving flammable materials away from buildings, ensuring smoke and fire alarms are in good working order, periodically checking grounds for suspicious or abandoned items, parcels, backpacks, boxes, and containers that could hide or disguise an IED, and having law enforcement and fire authority personnel walk through your facility and plans for additional safeguards.

Given the series of notable religious events and anniversaries underway and coming up, we consider a period of heightened concern for FBOs.

• 17 February was Ash Wednesday and will culminate with Easter on 04 April. In 2019, a complex coordinated terrorist attack that targeted churches and hotels on Easter morning resulted in 290 deaths and hundreds of injuries and on Palm Sunday 2021, an Indonesian church suffered a suicide attack suspected to have been the work of two Islamic State loyalists. Both attackers died and twenty worshippers were injured.  
  • In the Jewish Calendar, Passover began on 27 March and goes through 04 April.
  • For Muslims, Ramadan will occur from 12 April through 12 May.
  • 15 March marks the two-year anniversary of the Christchurch, New Zealand shooting. Two weeks ago, a 16-year-old was arrested in Singapore for planning to attack mosques on the anniversary of the attack in a similar fashion and with inspiration from the attacker.
• Domestic Extremism. On 27 Jan, the DHS released a National Terrorism Advisory System (NTAS) Bulletin “due to a heightened threat environment across the United States, which DHS believes will persist in the weeks following the successful Presidential Inauguration.  Information suggests that some ideologically-motivated violent extremists with objections to the exercise of governmental authority and the presidential transition, as well as other perceived grievances fueled by false narratives, could continue to mobilize to incite or commit violence.” FBOs, while not mentioned in the Bulletin, have continued to see threats and acts of violence at facilities around the country (not solely due to domestic extremism). FB-ISAO has reported on upcoming dates of concern, including upcoming political, religious, and social events that could be targeted by attackers or see protests, counterprotests, and escalated tensions and conflict. Please see the 17 Feb FB-ISAO Weekly Report and the 25 Feb FB-ISAO Advisory for some additional details and commentary.
• Protests (General). Since June of last year, we have expressed concern over the potential that protest activities will continue to pose direct and indirect threats to FBOs. Observed throughout 2020 and noted in previous threat assessments and FB-ISAO reporting, whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. We continue to assess protests may pose direct and indirect risks to FBOs. Among other issues, the beginning of the trial process relating to the death of George Floyd began on 29 March. This process, expected to continue into the fall, may lead to local (Minneapolis) and solidarity protest events.
• Vaccine-Related Protests. If an FBO becomes involved in vaccine distribution / administration, there is the potential that anti-vaccination protests could develop, or that disturbed/disgruntled people could attack vaccination centers. DHS has stated that, “Organizations involved in the development and distribution of the COVID-19 vaccine should take proactive measures to enhance their overall physical security posture,” and shared security measure guidance as well as the 26 Feb release of the COVID-19 Vaccine Points of Distribution Physical Security Action Guide . We assess this to be a low-level threat but one for FBOs to consider as they may be involved in vaccine distribution and related activities. To date, we have not observed incidences of violence connected to vaccine distribution, but fraud, willful destruction of vaccines, diversion and theft have been reported. 
• Disgruntled Individuals. In addition to other issues that may excite some individuals to violence, individuals who do not agree with positions taken by an FBO during periods of closure and reopening may act against those organizations or others. We have continued to see various protests and violent actions aimed at COVID restrictions and individuals enforcing safety procedures and these are regularly reported in the FBJ. Last updated on 01 Sep, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, some individuals have demonstrated heightened sensitivities regarding these issues and have not responded well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors. Effective ways to safely engage individuals and de-escalation training could help prepare frontline personnel.
• Conspiracy Theories. While the motivation behind the Christmas Day 2020 Nashville attack is still not clear, it is possible that conspiracy beliefs / misinformation-related anxiety (i.e., 5G concerns) could have played a part. Already, there has been misinformation alleging the explosion was an attempted government cover-up to hide election fraud, and other such theories. It is possible that, inspired by Nashville and perhaps with additional motivations such as political frustrations and concerns relating to the COVID vaccines, others may be inspired to action. There is some concern around upcoming dates and conspiracy theories; see above for more.
• Severe Weather. As the severe weather in Texas and across the country in February demonstrated, leaders need to avoid complacency and respect the impact that potential severe weather can have, on FBOs and our communities where FBOs may serve during response and recovery activities. Tornadoes and flooding have led to death, injury and destruction in areas of the country and we are nearing the start of the 2021 hurricane season and will soon be contending with wildfires and other seasonal challenges. Members are encouraged to use this time to review business operations and continuity plans and to prepare for appropriate local seasonal threats. 

For consideration:

• Security Bias. As each of us carries a variety of beliefs, opinions, politics, and ideologies, we are reminded of the importance for us to challenge our own biases and tendencies to exaggerate some threats while downplaying others. Members, along with our staff, are encouraged to challenge ourselves and to critically assess perceived threats to avoid “security blindness” where our own biases may lead to misunderstanding threats, risks, and appropriate preparedness to the variety of threats in our environment. In March, FB-ISAO ORG member Ed Heyman discussed media literacy sharing important perspective for analysts and security leaders. The link to that recording has been distributed.
• Vigilance. As always, those responsible for FBO security should remain vigilant and alert, not only to threats or acts of violence in your area, but to any changes in adversary tactics, training, or capabilities that could defeat or diminish the effect of your organization’s security or threat mitigations.

Concerns Regarding the Cyber Threat Level

FB-ISAO assess the current overall volume of coronavirus-related cyber attack campaigns remains stable with the predominate scams still leveraging vaccination-titled lures. Overall, the current volume of attacks is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic, associated concerns, distractions, and the need to not become complacent.

Members are encouraged to regularly review the #cybersecurity_general channel in FB-ISAO Slack for a general level of awareness to on-going cyber threats and incidents, such as vulnerabilities and exploits to IT infrastructure. Likewise, it is important to continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal and #cybersecurity_general Slack channel. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.

As we offer the constant reminder that WE ARE ALL TARGETS of opportunity, the following are general considerations for continued vigilance:

• Ongoing exploitation of Microsoft Exchange vulnerabilities. If your POW maintains on-premise Microsoft Exchange Servers and you have not patched yet, you should operate on the assumption that your environment has been compromised and it is HIGHLY recommended that you investigate for potential compromise concurrently while patching. Microsoft recently published updated analysis and concerns of the most common threats leveraging the recent Exchange vulnerabilities, including the web shells, ransomware, cryptocurrency mining, and credential theft. The post also includes best practices to mitigate against exploits and post-compromise attacker activity. Most notable in the post is that many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement. Members are encouraged to read the entire post at Microsoft.
• Hate-motivated cyber attacks. In the Risk Awareness report for 15 March 2021, Advanced Intelligence, LLC (ADVINTEL) reported that conservative Christian and Muslim communities were directly targeted for their religious affiliations. Gab, an often perceived prominent conservative Christian app suffered a data breach of 70 Gb and the Ahmadiyya Muslim Community withstood a large-scale hate campaign across multiple platforms. Additionally, in the 22 March 2021 Risk Awareness report, ADVINTEL provided information regarding “an ongoing phishing and spyware distribution campaign targeting Sikhs in India.” The attack was reported to be politically motivated, targeting Sikhs for their political inclinations.
• “Zoombombing”/meeting bombing. Faith-based organizations continue to experience “Zoombombing” incidents. Current religious celebrations could potentially inspire unsavory individuals to join events. To mitigate this threat, members are encouraged to download the Center for Internet Security’s Videoconferencing Security Guide for guidance and best practices for holding videoconferencing events to reduce the risk from being Zoombombed.
• Malware. Faith-based organizations are not immune to malware infections. ADVINTEL has reported on multiple malware infections from ZLoader that have impacted FBOs. ZLoader is malware known to steal financial-related information. ADVINTEL has observed a notable increase in ZLoader activity since the beginning of the pandemic. Given the vast amounts of financial and personally identifiable information (PII) transacted, faith-based organizations are an attractive target for financial-related fraud, including malware and ransomware designed to steal data.
• Ransomware. Ransomware continues impacting organizations of all types and sizes. Recently, FB-ISAO became aware of another ransomware incident at a POW. This incident involved the Conti ransomware group claiming to have compromised the FBO and published five percent of the victim’s stolen data. As stated above, POWs are attractive ransomware targets for the valuable financial and personally identifiable information (PII) they collect. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs and discuss necessary actions should ransomware impact your organization or third party partners. For more on ransomware preparedness and response, see the Ransomware Guide from CISA and the MS-ISAC.
• #BlueLeaks. We continue to stress the need to exercise vigilance when receiving communications purporting to come from any impacted organization, including FB-ISAO, fusion centers, and law enforcement entities. See FB-ISAO Weekly Advisory for 23 December 2020 and the FB-ISAO Advisory emailed to members on 14 January 2021.
• Phishing. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), whaling (targeting of high-profile targets), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat.
  • Be on your guard for scams trying to take advantage of the confusion surrounding COVID-19 Vaccine Distribution. Visit the FTC for a post and infographic on how to avoid vaccine-related scams. Likewise, with places of worship participating as vaccination distribution sites, scams could have direct impact on the faith-based community if actors leverage/impersonate specific organizations to give their scams credibility.
• Third party risks. Members are encouraged to exercise due diligence when implementing any third party products and services. Please contact our team for more information on vendor risk management.
• Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including post-election activity. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 Rumor vs. Reality resources, including the Election Security Resource Library.
• Work-from-home. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library. Likewise, for more considerations, visit FB-ISAO’s report on Securing Your Organization Beyond COVID.

Please contact our team with any questions, needs for information, assistance, or any other concerns.

• We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates, and ideas on what other organizations are doing.
• Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.

This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.