October 2020: FB-ISAO Physical Threat Level Remains SEVERE; Cyber Threat Level Remains GUARDED

This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the ongoing threat of the COVID-19 pandemic and the approaching U.S. winter season and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE and anticipate this level being maintained until a decrease in the threat of the pandemic (such as via an effective vaccine being administered) and / or the end of the winter health threats. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.

The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for more statements regarding the Cyber Threat Level.

• Please refer to this post for an explainer on the FB-ISAO Threat Levels.
• Please see this 15 May post regarding the distribution of the FB-ISAO Pandemic Reopening Reentry Checklist.

COVID-19 Pandemic. As we continue through this pandemic, with the continued possibility of having to move back to more stringent local restrictions based on events in our communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. Especially during the start of flu season, and the likely confluence of COVID-19 and annual influenza threats, members are advised to respect and adhere to FSLTT guidance.

After the summer spike, we were encouraged by a slower trend of decreasing cases. However, at the time of this assessment, COVID-19 cases are increasing, and daily deaths are not notably decreasing.  As of 24 Sep, there are over a million new cases since our last assessment (from 5.75 million cases in the U.S. and nearly 178,000 deaths to 6.87 million cases and 200,275 deaths) and as of 17 Sep, the CDC reports that the national ensemble forecasting “predicts that 3,000 to 7,100 new deaths will likely be reported during the week ending October 10, 2020. The national ensemble predicts that a total of 207,000 to 218,000 COVID-19 deaths will be reported by this date.” The likelihood of a broad second wave of COVID-19 remains very possible,  particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks. As noted above, this is further complicated by annual flu season, which has the potential to complicate and overwhelm healthcare professionals and facilities. Some have referred to this as a potential “twindemic” – meaning the continuation of the COVID-19 pandemic and the start of flu season.

While there is a lot of conflicting reporting and varied assessments regarding the threat, and as both personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. Especially with the resumption of K-12 and higher education, couple with upcoming holidays that often include larger gatherings of friends and families, we remain in a higher risk period. As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.

Also important to note, as the 2020 election season continues, the pandemic, government data and guidance and other information are being politicized and questioned – some valuably, some politically, and some deliberately by those who seek to cause confusion and harm via disinformation activities. Again, we encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.

Beyond the explicit health threat, we have other security concerns, including:

• Protests. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” In the ensuing months, we have seen that come to fruition and be further complicated by several additional incidents of excessive use of force resulting in death or serious injury as well as the 23 Sep Breonna Taylor decision. FBOs and people of faith have experienced acts of violence and vandalism from varied actors. Whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. Given recent events, ongoing protests, a tense political election season, and other considerations, we continue to assess protests may pose direct and indirect risks to FBOs.
• Hostile Events and the Targeting of African-American People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FB-ISAO Daily Journal, including hate crimes including spray-painting hate symbols and the destruction of statues, it is important to note there are often connections between other issues and events and actions that may be taken at FBOs. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” In the ensuing months, we have seen that come to fruition and be further complicated by several additional incidents of excessive use of force resulting in death or serious injury. Threats and hostile events have occurred at FBOs, to include predominantly African-American churches such as in Virginia and Kentucky. As Black Lives Matters broadly and Breonna Taylor decision-related and associated protests continue, this remains a concern. Underscoring these concerns, a 30 Aug arrest for attempted arson, burglary of a building and criminal mischief followed a Texas man’s suspected attempt to damage a predominantly African American church in Queen City, Texas. Other acts of vandalism and destruction have occurred at FBOs relating to racial issues.
• Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. We have continued to see various protests and violent actions aimed at individuals enforcing safety procedures. On 24 Aug, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.

“Many… violent extremists, both domestic and international, are motivated and inspired by a mix of ideological, sociopolitical, and personal grievances against their targets, which recently have more and more included large public gatherings, houses of worship… Trends may shift, but the underlying drivers for domestic violent extremism—such as perceptions of government or law enforcement overreach, sociopolitical conditions, racism, anti-Semitism, Islamophobia, misogyny, and reactions to legislative actions—remain constant. As stated above, the FBI is most concerned about lone offender attacks, primarily shootings…” – FBI Director Wray, in remarks to the U.S. Senate in September 2020.

• U.S. Elections and Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, or relating to other emotional topics, such as the removal of statues and monuments, can lead to a highly-charged atmosphere and pose associated risks to FBOs in the area which may not be directly targeted by indirectly implicated. During both the Democratic and Republican political conventions, the community of faith was one of significant attention. As election-related activities and rhetoric increase in the final weeks of the election season, it is possible that political rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO. Additionally, given the possibility of a prolonged period of time to identify winners from November’s elections, tensions may be elevated for some time, and after results are announced. FBOs should remain mindful of local events and tensions as they assess threats and security needs.
• The Winter Holiday Season. As we move into fall, holidays and celebrations continue, with annual major events from Thanksgiving to December’s Hanukkah (10-18 Dec), Christmas Eve / Christmas Day (24, 25 Dec) and New Year’s events, the possibility of potential targeting of FBOs and people of faith may increase. At this point, it is difficult to anticipate how holiday events may be conducted, and what the political and protest environments may be like at those times.

Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and the pre-pandemic frequency of non-coronavirus lures is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.

Comment on #BlueLeaks: While there is nothing significant to report, due to members’ close partnerships with all impacted entities, including FB-ISAO, fusion centers, and law enforcement, this incident still represents a threat from actors who may try to leverage those trusted relationships in the future to phish (email or phone) for more information. We continue to stress the need to exercise extreme vigilance when receiving communications purporting to come from any impacted organization, particularly ones in your region.

Additional considerations for continued increased vigilance:

• Ransomware running rampant. Municipalities, education institutions, healthcare, and mega-corporations are not the only organizations to experience ransomware infections. During the past two weeks, multiple houses of worship and other faith-based organizations have fallen victim – see FB-ISAO Cyber Advisory, 17 September 2020 for a discussion on two houses of worship that we became aware of at that time. The scope of the attacks has included the encryption (file/system locking) component and the data breach/leak component, as has become commonplace in recent months. Prior to ransomware adopting the data breach paradigm, organizations likely only experienced a service impact while the third party victim recovered from the unfortunate incident. Nowadays, every organization carries a risk from a ransomware attack on a contracted third party. Data leaked from third parties could be used in spearphishing against all partners in the victim’s supply chain for a variety of goals, including distributing more ransomware. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs, or at least discuss necessary actions should ransomware impact your organization or one of your third party partners. This Forrester report provides some salient points about dealing with ransomware.
• Zoombombing. Faith-based organizations continue to experience “Zoombombing” incidents. While these incidents are indeed disturbing and often heart-wrenching, Zoom and other video-conferencing providers have made great strides to provide the settings, even default settings necessary to significantly reduce occurrences of such lewd and disrupting attacks. Many Zoombombing incidents occur due to public posting of meeting links and often deficient procedures when hosting such videoconferencing events. A spokesman involved in an incident over the weekend took onus by stating, “As a result we have increased our security and changed our processes and are confident that all future meetings can go ahead without any further issues.” Members are encouraged to review the security settings on their video-conferencing platforms and apply best practices and procedures to reduce the risk from this prevalent disturbance. Most vendors have published tips for maintaining secure meetings and FB-ISAO has previously shared tips for securing online events. Please contact our team with questions.
• Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including elections. Disinformation is being increasingly spread by various entities for disruption, deceit, and even to discredit legitimate government efforts, including the integrity of American elections. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 resources, including the Disinformation Stops With You infographic to better understand the evolving threats to the election systems.
• Emotet – Beating a Dead Trojan Horse. Despite the title, Emotet is far from dead. The title is meant to grab your attention because the persistence of this epoch of everybody’s everlasting email enemy remains worthy of mention, again. There have been numerous reports from fusion centers, partner ISAC’s, and others reporting a notable increase in Emotet phishing activity during the past week. Emotet is a virulent email threat often used to spread additional malware, including ransomware. Emotet is complex in its functionality and crafty in its campaigns. One of the most notable behaviors is its ability to hide in plain sight by hijacking existing email threads and attachments to emulate something you expect to receive in your inbox. If you receive messages with attention grabbing subjects such as, “Termination list,” “Can’t call you,” “Annual bonus report is ready,” “Payment Remittance Advice” or similar invoice-themed, it might just be Emotet. If you are seeing those subjects or similar, please report what you are seeing to FB-ISAO. Likewise, members are reminded to keep staff and volunteers aware of this and similar phishing attacks. The NCSAM resources below are great tools to help with security awareness.
• Zerologon/Microsoft Netlogon Remote Protocol Vulnerability. “Zerologon,” a vulnerability affecting Microsoft’s Netlogon Remote Protocol that Microsoft provided a patch for in August is getting a lot of attention from both the security community and attackers. Likewise, there has been significant exploit activity observed concerning this critical vulnerability. Multiple alerts, advisories, and research have been published urging administrators to “patch now.” This vulnerability is rather trivial to exploit and a successful compromise will take complete control over your network domain. Given the advisories, a CISA Emergency Directive 20-04 – “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday,” and what some researchers consider the most dangerous bug revealed this year, members are urged to ensure their IT teams/managed service providers (MSPs) address this vulnerability now, if they have not already. Microsoft has published updated guidance on applying the patch.

We offer a constant reminder that we are all targets of opportunity. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat.

• Continue enabling/encouraging remote staff to work securely. As organizations consider a prolonged or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure remote work environment. Staff who continue working remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
• Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination. Likewise, with October being National Cybersecurity Awareness Month (NCSAM), members are encouraged to check out associated NCSAM resources, “Do Your Part. #BeCyberSmart.”, and join FB-ISAO as an NCSAM 2020 Champion!

Please contact our team with any questions, needs for information, assistance or any other concerns.

• We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
• Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.

This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.