This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The ongoing COVID-19 global pandemic is a complex and blended threat that impacts members and the broader faith-based and charity community in numerous ways. We have determined to maintain our current threat level assessments at this time, with updated comments. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and will make future updates as may be appropriate.
The TIG has determined to maintain the Pandemic Threat Level at “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal. While we are well aware of the specific threat of the pandemic, we do not believe that a serious nationwide U.S. outbreak at this time is likely, though the possibility of localized outbreaks remains, especially given the Delta and fast-spreading Omicron Variants and in areas where the population has low vaccine levels, as is being observed in various areas around the country right now. The success of vaccinations and availability of boosters has been encouraging, and the Omicron Variant – while fast-spreading – appears to be a milder threat. With a significant portion of the population remaining unvaccinated and unlikely to get vaccinated; uncertainty regarding virus variants, vaccine resilience and associated breakthrough cases; increasing workforce reentry; school districts returning to live, in-person instruction; and other considerations, the country could still see surges in some areas that could become problematic. Reflecting this, New York and California have reimposed mandatory masking, albeit for a finite period, as a precaution. The TIG will continue to assess the Pandemic Threat Level regularly and provide updates accordingly.
The TIG has determined to maintain the Physical Threat Level as “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal. While we assess the general environment to be pointing towards a GUARDED posture, meaning FB-ISAO is unaware of any specific events, we also recognize a general risk of incidents exists. There continue to be a number of ongoing stressors that cause concern. Among those are stressors and potential sparks for conflict relating to COVID (masking, vaccines, safeguards, etc.), economic uncertainty (supply chain disruptions, shortages of holiday goods, inflation scares, job market concerns, etc.), polarizing issues, media and political hyperbole, the continued normalization of violence, and other considerations. These concerns are coupled with continued foreign ideological extremist and domestic extremist propaganda and encouragement for violence against an array of targets – to include people and places of faith. In addition to increasing levels of violence around the country we have seen recent domestic and international incidents (i.e., France, Indonesia) targeting the holidays. There are also the routine seasonal threat associated with the holidays, such as mass gatherings, holiday services and special events, etc., which create potential target rich environments and complex security situations. Vandalism of public Chanukah Menorah displays last month, continued vandalism of churches, mosques and synagogues, and the arson attack on the Fox News Christmas tree in NYC highlight the threat to religious properties and public holiday displays. Therefore, we continue to assess the Physical Threat Level as ELEVATED at this time. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general and pervasive risk of cyber attacks exists, particularly with respect to a recent vulnerability and exploitation impacting a widely used Java logging library maintained by the Apache Software Foundation called log4j. Current activity regarding log4j exploitation includes widespread mass scanning and customized targeted attacks, including from APT actors. Some groups are also deploying ransomware on systems that have been compromised. Log4j usage is ubiquitous among enterprise, cloud services, Internet-of-Things, and Industrial Control Systems networks. CISA estimates hundreds of millions of devices are impacted by this vulnerability. To determine the presence of and address the vulnerable log4j library within your environment, it may be necessary to reach out to your technology support team.
The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the ongoing threat of the COVID-19 pandemic and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE. While we are greatly encouraged with vaccine distribution, we anticipate this level being maintained until vaccines are more broadly administered and the infection and fatality trends are consistently moving in a downward direction. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exists, particularly with respect to scams using COVID-19 vaccinations, continued meeting bombing (Zoombombing) incidents, phishing using FB-ISAO’s likeness, scams using subjects for first of the year observance “Days.”. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for on-going considerations regarding the Cyber Threat Level.
Currently, we have two primary concerns regarding the physical threat level – the ongoing pandemic and the heightened threat environment relating to domestic extremism.
COVID-19 Pandemic. As we continue through this pandemic, FB-ISAO continues to strongly encourage members “hold the line”. By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter, and resume operations in accordance with, and not ahead of, state, local, and national guidance, directives, and restrictions. While the start of vaccine distribution is greatly encouraging, the threat persists across the U.S. and outbreaks continue. We remain cautious. Members are advised to respect and adhere to FSLTT guidance.
While we have passed a disastrous milestone with now over 500,000 COVID-related deaths, new cases and deaths are moving in a positive direction and the CDC’s national ensemble predicts continued decreases in both through February. The rate of growth in new cases and reported deaths has declined significantly after months of rapid acceleration. As of 24 Feb, the rate of new cases has been halved since the last reporting period we are approaching nearly six million new cases since our last assessment (from 25.2 million and six millions new cases to 28.1 million/3 million new cases and from 419,827 deaths to now 501,181 as of 24 Feb). As of 24 Feb, The CDC reports that “national ensemble predicts that the number of newly reported COVID-19 deaths will likely decrease over the next 4 weeks, with 4,300 to 12,600 new deaths likely reported in the week ending March 20, 2021. The national ensemble predicts that a total of 526,000 to 548,000 COVID-19 deaths will be reported by this date.”
The distribution of vaccines is underway in the United States and across the globe. While this is an exciting development, the distribution will take time and preventive measures are still important as we move through 2021. The CDC is tracking continued mutations and infections by type of COVID-19. Variations observed include those from the United Kingdom, South Africa, Nigeria, Zambia, and there are concerns regarding the development of additional variants in the United States, such as in Minnesota, California, New York, and elsewhere. While vaccines seem to be effective against these variants, there are concerns that a variant may exist or develop which vaccines are not effective against. Based on current trends, and the rollout of the vaccines, we are hopeful that new cases and deaths will continue to decrease at an increasing rate in the weeks ahead, but we remain cautious and recognize the real potential for progress to potentially deteriorate.
“the number of people hospitalized with COVID-19 in the U.S. has dropped by 80,000 in six weeks, and 17% of the nation’s adult population has gotten at least one dose of a vaccine”
The coronavirus remains an active health threat with the continued possibility for local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. While many are feeling “pandemic fatigue” and a desire to return to normalcy, a decrease in vigilance and safety will only prolong recovery and the successful return to a more open and safe environment.
Many FBOs have begun or continued phased reopening and by applying smart practices and safety measures, they have been able to avoid new outbreaks at their facilities and among their congregations. These successes are commendable. However, recognizing success should not lead to complacency or a false sense that the threat has passed. Outbreaks can happen quickly and lead to closures and broad infections, as has been observed in communities and FBOs around the country. For those that have been successful, we encourage you to maintain discipline and hold on to your success.
As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.We encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.
Domestic Extremism. The increasing tensions over the course of the 2020 election season came to a boil with the storming of the U.S. Capitol building on 06 Jan. From that event and given related concerns, on 27 Jan, the DHS released a National Terrorism Advisory System (NTAS) Bulletin “due to a heightened threat environment across the United States, which DHS believes will persist in the weeks following the successful Presidential Inauguration. Information suggests that some ideologically-motivated violent extremists with objections to the exercise of governmental authority and the presidential transition, as well as other perceived grievances fueled by false narratives, could continue to mobilize to incite or commit violence.” FBOs, while not mentioned in the Bulletin, have continued to see threats and acts of violence at facilities around the country (not solely due to domestic extremism). FB-ISAO has reported on upcoming dates of concern, including upcoming political, religious, and social events that could be targeted by attackers or see protests, counterprotests, and escalated tensions and conflict. Please see the 17 Feb FB-ISAO Weekly Report and the 25 Feb FB-ISAO Advisory for some additional details and commentary.
There could be potential activity relating to the idea of some QAnon believers that former President Trump will return to office and be sworn in on 04 March (read more here [Reuters] and here [Vox]), though this date is reportedly being downplayed among QAnon “influencers” now. While FBOs may not be a primary target of such beliefs and the associated angst, they could be, and could also be indirectly targeted by way of location and neighboring facilities.
There is continued concern that some extremists are still interested in conducting attacks in the Washington, D.C. area, possibly to coincide with the upcoming State of The Union (SOTU) address from President Biden (date, TBD). See NBC, among others, for more.
Other ongoing security concerns, include:
Hostile Events and theTargeting of FBOs, Both People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FBJ, including hate crimes such as spray-painting hate symbols and the destruction of statues, arson, and stabbings, it is important to note there are often connections to other issues and events and actions at FBOs. Relating to protests and for other issues, and sometimes for no clear grievance, FBOs have been targeted with a variety of types of aggression, violence, threats, and more. This is unlikely to change in our current environment. Given the series of notable religious events and anniversaries underway and coming up, we consider a period of heightened concern for FBOs.
17 February was Ash Wednesday and will culminate with Easter on 04 April. In 2019, a complex coordinated terrorist attack that targeted churches and hotels on Easter morning resulted in 290 deaths and hundreds of injuries.
In the Jewish Calendar, Passover begins on 27 March and goes through 04 April.
For Muslims, Ramadan will occur from 12 April through 12 May.
15 March marks the two-year anniversary of the Christchurch, New Zealand shooting. Two weeks ago, a 16-year-old was arrested in Singapore for planning to attack mosques on the anniversary of the attack in a similar fashion and with inspiration from the attacker.
Protests (General). Since June, we have expressed concern over the potential that protest activities will continue to pose direct and indirect threats to FBOs. Observed throughout 2020 and noted in previous threat assessments and FB-ISAO reporting, whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. We continue to assess protests may pose direct and indirect risks to FBOs. Among other issues, the beginning of the trial process relating to the death of George Floyd is set to being in March. This process, expected to continue into the fall, may lead to local (Minneapolis) and solidarity protest events.
Vaccine-Related Protests. If an FBO becomes involved in vaccine distribution / administration, there is the potential that anti-vaccination protests could develop, or that disturbed/disgruntled people could attack vaccination centers. DHS has stated that, “Organizations involved in the development and distribution of the COVID-19 vaccine should take proactive measures to enhance their overall physical security posture,” and shared security measure guidance as well as the 26 Feb release of the COVID-19 Vaccine Points of Distribution Physical Security Action Guide . We assess this to be a low-level threat but one for FBOs to consider as they may be involved in vaccine distribution and related activities. To date, we have not observed incidences of violence connected to vaccine distribution, but fraud, willful destruction of vaccines, diversion and theft have been reported.
Disgruntled Individuals. In addition to other issues that may excite some individuals to violence, such as the recent church IED noted above, individuals who do not agree with positions taken by an FBO during periods of closure and reopening mayact against those organizations or others. We have continued to see various protests and violent actions aimed at COVID restrictions and individuals enforcing safety procedures. Last updated on 01 Sep, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, some individuals have demonstrated heightened sensitivities regarding these issues and have not responded well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors. Effective ways to safely engage individuals and de-escalation training could help prepare frontline personnel.
Nashville Attack and Other Conspiracy Theories. While the motivation behind the Christmas Day 2020 Nashville attack is still not clear, it is possible that conspiracy beliefs / misinformation-related anxiety (i.e., 5G concerns) could have played a part. Already, there has been misinformation alleging the explosion was an attempted government cover-up to hide election fraud, and other such theories. It is possible that, inspired by Nashville and perhaps with additional motivations such as political frustrations and concerns relating to the COVID vaccines, others may be inspired to action. There is some concern around upcoming dates and conspiracy theories; see above for more.
Severe Weather. As the severe weather in Texas and across the country in February demonstrated, leaders need to avoid complacency and respect the impact that potential severe weather can have, on FBOs and our communities where FBOs may serve during response and recovery activities. We are now within 100 days of hurricane season and will soon be contending with annual spring flooding, fires, and other seasonal challenges. Members are encouraged to use this time to review business operations and continuity plans and to prepare for appropriate local seasonal threats.
For consideration:
Security Bias. As each of us carries a variety of beliefs, opinions, politics, and ideologies, we are reminded of the importance for us to challenge our own biases and tendencies to exaggerate some threats while downplaying others. Members, along with our staff, are encouraged to challenge ourselves and to critically assess perceived threats to avoid “security blindness” where our own biases may lead to misunderstanding threats, risks, and appropriate preparedness to the variety of threats in our environment.
Vigilance. As always, those responsible for FBO security should remain vigilant and alert, not only to threats or acts of violence in your area, but to any changes in adversary tactics, training, or capabilities that could defeat or diminish the effect of your organization’s security or threat mitigations.
Concerns Regarding the Cyber Threat Level.
FB-ISAO assess the current overall volume of coronavirus-related cyber attack campaigns remains stable with the predominate scams leveraging vaccination-titled lures. Nonetheless, the current volume is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic, associated concerns, distractions, and the need to not become complacent.
If you have not done so, we still encourage members to familiarize themselves with the FB-ISAO Weekly Advisory for 23 December 2020 regarding phishing activity using the likeness of FB-ISAO that could potentially be related to #BlueLeaks.
Finally, members are also encouraged to regularly review the #cybersecurity_general channel in FB-ISAO Slack for a general level of awareness to on-going cyber threats and incidents, such as vulnerabilities and exploits to IT infrastructure.
As we offer the constant reminder that WE ARE ALL TARGETS of opportunity, the following are general considerations for continued vigilance:
Continued “Zoombombing”/meeting bombing. Faith-based organizations continue to experience disturbing, heart-wrenching, and offensive “Zoombombing” incidents. In some cases, the disruptions are caused by people using congregants’ names. Many meeting bombing incidents occur due to public posting of meeting links and often deficient procedures when hosting such videoconferencing events. But in such cases where the disruptor is purporting to be a legitimate congregant, it is important for hosts to be prepared to immediately disable sharing options or better yet, eject the offender from the meeting. Members are encouraged to review the security settings on their videoconferencing platforms and apply best practices and procedures to reduce the risk from this prevalent disturbance. Most teleconference platform vendors have published tips for maintaining secure meetings and FB-ISAO has previously shared tips for securing online events. In addition, members are encouraged to download the Center for Internet Security’s Videoconferencing Security Guide for more guidance and best practices for mitigating this threat.
Malware. Faith-based organizations are not immune to malware infections. In a Partner Report sent to members on February 23, 2021, Advanced Intelligence (ADVINTEL) reported on a malware infection from ZLoader that impacted a family-run funeral home. ZLoader is malware known to steal financial-related information. ADVINTEL has observed a notable increase in ZLoader activity since the beginning of the pandemic. Given the vast amounts of financial and personally identifiable information (PII) transacted, faith-based organizations are an attractive target for financial-related fraud, including malware designed to steal data.
On-going ransomware attacks with subsequent leaked data. Ransomware continues impacting organizations of all types and sizes. Recently, FB-ISAO became aware and sent an Advisory on February 11, 2021 regarding a potential CLOP ransomware incident at a U.S. synagogue. In addition, actors responsible for Babuk/Babyk ransomware made a claim regarding charities/non-profits – indicating they would not extort “(a)ny non-profitable charitable foundation (except the foundations who help LGBT and BLM). As recent physical security events have shown, regardless of an FBOs position, that stance could pose a physical or cyber risk. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs and discuss necessary actions should ransomware impact your organization or third party partners. For more on ransomware preparedness and response, see the Ransomware Guide from CISA and the MS-ISAC.
#BlueLeaks.We continue to stress the need to exercise vigilance when receiving communications purporting to come from any impacted organization, including FB-ISAO, fusion centers, and law enforcement entities (see FB-ISAO Weekly Advisory for 23 December 2020). Furthermore, be cautious of any activity from entities attempting to “survey” individuals who have received emails from FB-ISAO and other impacted organizations (fusion centers and law enforcement entities) as highlighted in an FB-ISAO Advisory emailed to members on 14 January 2021.
Phishing. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), whaling (targeting of high-profile targets), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat.
Be on your guard for scams trying to take advantage of the confusion surrounding COVID-19 Vaccine Distribution. Visit the FTC for a post and infographic on how to avoid vaccine-related scams. Likewise, with houses of worship participating as vaccination distribution sites, scams could have direct impact on the faith-based community if actors leverage/impersonate specific organizations to give their scams credibility.
Furthermore, threat actors commonly leverage upcoming sales related to national holidays and observances. Members are urged to treat every sale and solicitation communication with suspicion.
SolarWinds. While the December disclosure of the SolarWinds Orion product compromise is presumed less likely to impact most FBO’s, a general threat still exists from similar third-party product/service compromises. Information on SolarWinds continues to be included in the Faith-Based Daily Journal and other //TLP:WHITE summaries sent by FB-ISAO since 13 December 2020. Additionally, information is available in a CISA Insights: What Every Leader Needs to Know About the Ongoing APT Cyber Activity. Members are encouraged to exercise due diligence when implementing any third party products and services. Please contact our team for more information on vendor risk management.
Vulnerabilities in church management software platforms. During January, we were made aware of at least two widely used church management software platforms that were impacted by potential cyber threats. At this time, we are currently unaware of any new vulnerabilities, but urge members to review prior reporting and address accordingly.
On 6 January 2021, in the FB-ISAO #general Slack channel, a notice was sent to all members regarding a malicious domain registration for the church management software platform Realm. Multiple variations of the login domain (onrealm [.] org) had been registered and members who use Realm were encouraged to block incoming email from the fictitious domains.
On 14 January 2021, the ADVINTEL Faith-Based Sector Intelligence Advisory includes information regarding two critical vulnerabilities in Rock RMS. Members that use Rock RMS are encouraged to read the report, apply available vendor patches immediately, and monitor for malicious activity from a potential compromise of the software.
Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including post-election activity. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 Rumor vs. Reality resources, including the Election Security Resource Library.
Continue enabling/encouraging remote staff to work securely. As organizations continue prolonged or permanent work from home models, it is important to promote a secure remote work environment. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library. Likewise, for more considerations, FB-ISAO recently published a report on Securing Your Organization Beyond COVID.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.
Please contact our team with any questions, needs for information, assistance, or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates, and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the ongoing threat of the COVID-19 pandemic and the approaching U.S. winter season and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE and anticipate this level being maintained until a decrease in the threat of the pandemic as vaccines are administered and a possible decrease of travel as the winter season and seasonal health threats pass. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist, particularly with respect to phishing using FB-ISAO’s likeness, the SolarWinds Orion/supply chain compromise, and scams using subjects for first of the year observance “Days” and COVID-19 vaccinations. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for on-going considerations regarding the Cyber Threat Level.
At this time, we have two primary concerns regarding the physical threat level – the ongoing pandemic and the heightened threat environment relating to domestic extremism.
COVID-19 Pandemic.
As we continue through this pandemic, with jurisdictions around the country and internationally having moved back and forth between local, state and national restrictions based on the continued surge of COVID-19, FB-ISAO continues to strongly encourage members “hold the line”. By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. While the arrival of vaccines is greatly encouraging, the threat persists across the U.S.; members are advised to respect and adhere to FSLTT guidance.
The pandemic has continued to surge and, though a decrease in new cases has occurred since mid-January, deaths remained at peak levels with a slight decrease. As of 21 Jan, we are approaching nearly six million new cases since our last assessment (from 19.43 million cases to 25.2 million and from 337,419 deaths to now 419,827) and as of 25 Jan, the CDC reports that the national ensemble forecasting predicts significantly increasing numbers of anticipated deaths with “13,500 to 25,000 new deaths likely reported in the week ending February 20, 2021. The national ensemble predicts that a total of 479,000 to 514,000 COVID-19 deaths will be reported by this date.” Based on current behaviors and trends and the still slow rollout of the vaccines, the surge in cases and deaths will continue through the winter before an anticipated tapering off as we move towards spring.
“Our plan will take time… Despite our best intentions, we’re going to face setbacks.” – President Joe Biden, as quoted by The Hill, 27 Jan.
The distribution of vaccines is underway in the United States and across the globe. While this is an exciting development, the distribution will take time and preventive measures are still important as we move through 2021. As recently observed, there are continued mutations of COVID-19, such as the variations from the United Kingdom, South Africa, and Nigeria, as well as other variations developing in the United States and elsewhere. While vaccines seem to be effective against these variants, there are concerns that a variant may exist or develop which vaccines are not effective against. Exacerbating the existing challenges is the increasing challenge of “pandemic fatigue,” as Americans grow tired of restrictions and seek to return to normalcy. While understandable, a decrease in vigilance and safety will only prolong recovery and a return to a more open and safe environment.
While there is a lot of conflicting reporting and varied assessments regarding the threat, and as both personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains a very active health threat with continued local outbreaks or broader flare-ups, with more potential concerns particularly if established best practices such as social distancing and mask wearing are not followed. FB-ISAO assesses that we remain in a high-risk period.
Worth noting, many FBOs have begun or continued phased reopening and by applying smart practices and safety measures, they have been able to avoid outbreaks at their facilities and among their congregations. These successes are commendable but recognizing success should not lead to complacency or a false sense that the threat has passed. As we wrestle with pandemic fatigue and the continued surge in cases, we need to avoid the danger of overconfidence. Outbreaks can happen quickly and lead to closures and broad infections, as has been observed in communities and FBOs around the country. For those that have been successful, we encourage you to maintain discipline and hold on to your success.
As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.
Again, we encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.
Domestic Extremism.
The increasing tensions over the course of the 2020 election season came to a boil with the storming of the U.S. Capitol building on 06 Jan. From that event and given related concerns, on 27 Jan, the DHS released a National Terrorism Advisory System (NTAS) Bulletin “due to a heightened threat environment across the United States, which DHS believes will persist in the weeks following the successful Presidential Inauguration. Information suggests that some ideologically-motivated violent extremists with objections to the exercise of governmental authority and the presidential transition, as well as other perceived grievances fueled by false narratives, could continue to mobilize to incite or commit violence.” FBOs, while not mentioned in the Bulletin, have continued to see threats and acts of violence during this period of escalated threat. As noted in recent Faith-Based Daily Journal (FBJ), FBOs – Jewish and Muslim – have received threatening letters, and a recent explosive attack at a California church, along with many continued cases of destruction, vandalism and arson, show individuals may progress through the Hostile Events Attack Cycle and move towards taking action. The IED occurred at a “conservative” church that had spoken out against LGBTQ issues, and threats had been received by “progressive” churches leading up to the Inauguration, showing there are threat actors of all stripes and all types of FBOs may be potentially be targeted by extremists.
With notable events and dates coming up (i.e., former President Trump’s potential impeachment trial, 04 Mar [previous presidential inauguration date associated with ongoing conspiracy theories]), there may be additional flashpoints in the weeks ahead.
De-platforming. With mainstream social media like Twitter and Facebook taking action against extremism, and with the shutdown of Parler, some have moved to alternative platforms such as Discord, MeWe and Telegram, among others. This can make intelligence collection more challenging, even as it may make coordination for events more challenging as well. Breakdowns in communications cause disruption for groups and the authorities tracking them alike; and absent the brakes that group communications can have on violence-prone members, splinter factions and rogue actors may choose to launch attacks on their own.
As members consider their security posture with regards to enduring and evolving physical security threats, they are encouraged to consider that recent events have demonstrated the variety and types of common objects (from fence posts to hockey sticks to bike racks to flagpoles, etc.) and improvised explosives that are readily available to would-be violent actors and the ease with which they could be used against Houses of Worship and other FBOs. Whether a deliberate attack or an escalation from a protest or other mass gathering, such items have the potential to be turned into improvised weapons and battering rams. Members may want to consider how well existing mitigations stand up to a potential siege-like assault. Members are encouraged to consider items such as bollards, ballistic film-reinforced windows and doors, gates, locks, lights, cameras and other security measures. Whether relating to protests on controversial issues or positions an FBO may be associated with, use of a facility for vaccine distribution, high-profile guests that could lead to security concerns (see this recent example, “ Lauren Boebert cancels meeting at Colorado church over security concerns,” 30 Jan), or other potentially trigger, the events at the Capitol, as well as routine violence and vandalism at FBOs, have shown that escalation can occur quickly and violently. Members are encouraged to consider recent events and the NTAS Bulletin with respect to their security operations and preparedness.
Beyond the explicit health threat, we have other security concerns, including:
Protests (General). Since June, we have expressed concern over the potential that protest activities will continue to pose direct and indirect threats to FBOs. Observed throughout 2020 and noted in previous threat assessments and FB-ISAO reporting, whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. We continue to assess protests may pose direct and indirect risks to FBOs. With continued frustrations over the 2020 elections or with new frustrations that may develop with an incoming presidential administration, protests may again flare-up in the weeks ahead. One upcoming notable date is 08 Mar, when the trial of at least one of the police officers – Derek Chauvin – charged in the death of George Floydis expected to begin.
Vaccine-Related Protests. If an FBO becomes involved in vaccine distribution / administration, there is the potential that anti-vaccination protests could develop or that disturbed/disgruntled people attacking vaccination centers. DHS has stated that, “Organizations involved in the development and distribution of the COVID-19 vaccineshould take proactive measures to enhance their overall physical security posture,” and shared security measure guidance. We assess this to be a low-level threat but one for FBOs to consider as they may be involved in vaccine distribution and related activities. To date, we have not observed incidences of violence connected to vaccine distribution, but fraud and theft have been reported.
Disgruntled Individuals. In addition to other issues that may excite some individuals to violence, such as the recsnt church IED noted above, individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. We have continued to see various protests and violent actions aimed at COVID restrictions and individuals enforcing safety procedures. Last updated on 01 Sep, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, some individuals have demonstrated heightened sensitivities regarding these issues and have not responded well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors. Effective ways to safely engage individuals and de-escalation training could help prepare frontline personnel.
Nashville Attack and Other Conspiracy Theories. While the motivation behind the Christmas Day 2020 Nashville attack is still not clear, it is possible that conspiracy beliefs / misinformation-related anxiety (i.e., 5G concerns) could have played a part. Already, there has been misinformation alleging the explosion was an attempted government cover-up to hide election fraud, and other such theories. It is possible that, inspired by Nashville and perhaps with additional motivations such as political frustrations and concerns relating to the COVID vaccines, others may be inspired to action. There is some concern around upcoming dates and conspiracy theories. Perhaps most notably, there could be potential activity relating to the idea of some Qanon believers that former President Trump will return to office and be sworn in on 04 March(read more). While FBOs may not be a primary target of such beliefs and the associated angst, they could be, and could also be indirectly targeted by way of location and neighboring facilities.
Hostile Events and theTargeting of FBOs, Both People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FBJ, including hate crimes such as spray-painting hate symbols and the destruction of statues, arson and stabbings, it is important to note there are often connections between other issues and events and actions that may be taken at FBOs. Relating to protests and for other issues, and sometimes for no clear grievance, FBOs have been targeted by a variety of types of aggression and violence – at facilities, on statues, with threats, and more. This is unlikely to change in our current environment. Further, Europe has seen several low-tech terrorism attacks conducted by violent jihadists. While such attacks have not occurred recently in the U.S., terrorist propaganda continues to promote attacks and it is possible would-be jihadists could seek to conduct attacks domestically, and potentially aimed at FBOs, as has been observed overseas.
Concerns Regarding the Cyber Threat Level.
FB-ISAO assess the current overall volume of coronavirus-related cyber attack campaigns remains stable with the predominate scams leveraging vaccination-titled lures. Nonetheless, the current volume is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic and associated concerns and distractions. Additionally, members are highly encouraged to familiarize themselves with the FB-ISAO Weekly Advisory for 23 December 2020 regarding phishing activity using the likeness of FB-ISAO that could potentially be related to #BlueLeaks. Finally, members are encouraged to review the #cybersecurity_general channel in FB-ISAO Slack for a general level of awareness to on-going cyber threats and incidents.
As we offer the constant reminder that WE ARE ALL TARGETS of opportunity, the following are general considerations for continued vigilance:
Vulnerabilities in church management software platforms. During January, we were made aware of at least two widely used church management software platforms that were impacted by potential cyber threats.
On 6 January 2021, in the FB-ISAO #general Slack channel, a notice was sent to all members regarding a malicious domain registration for the church management software platform Realm. Multiple variations of the login domain (onrealm [.] org) had been registered and members who use Realm were encouraged to block incoming email from the fictitious domains.
On 14 January 2021, the ADVINTEL Faith-Based Sector Intelligence Advisory includes information regarding two critical vulnerabilities in Rock RMS. Members that use Rock RMS are encouraged to read the report, apply available vendor patches immediately, and monitor for malicious activity from a potential compromise of the software.
#BlueLeaks.We continue to stress the need to exercise vigilance when receiving communications purporting to come from any impacted organization, including FB-ISAO, fusion centers, and law enforcement entities (see FB-ISAO Weekly Advisory for 23 December 2020). Furthermore, be cautious of any activity from entities attempting to “survey” individuals who have received emails from FB-ISAO and other impacted organizations (fusion centers and law enforcement entities) as highlighted in an FB-ISAO Advisory emailed to members on 14 January 2021.
Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), whaling (targeting of high-profile targets), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat.
Be on your guard for scams trying to take advantage of the confusion surrounding COVID-19 Vaccine Distribution. Visit the FTC for a post and infographic on how to avoid vaccine-related scams. Likewise, with houses of worship participating as vaccination distribution sites, scams could have direct impact on the faith-based community if actors leverage/impersonate specific organizations to give their scams credibility.
Furthermore, threat actors commonly leverage upcoming sales related to national holidays and observances such as, Valentine’s Day, Presidents’ Day (Washington’s Birthday), etc. Members are urged to treat every sale and solicitation communication with suspicion.
While the recent compromise of the SolarWinds Orion product is presumed less likely to impact most FBO’s, a general threat still exists from similar third-party product/service compromises. Information on SolarWinds continues to be included nearly each week in Faith-Based Daily Journal and other TLP:WHITE summaries sent by FB-ISAO since 13 December 2020. Additionally, information is available in a CISA Insights: What Every Leader Needs to Know About the Ongoing APT Cyber Activity. Members are encouraged to exercise due diligence when implementing any third-party products and services. Please contact our team for more information on vendor risk management.
On-going ransomware attacks with subsequent leaked data. Ransomware continues impacting organizations of all types and sizes. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs and discuss necessary actions should ransomware impact your organization or third party partners. For more on ransomware preparedness and response, see the Ransomware Guide from CISA and the MS-ISAC.
Continued “Zoombombing.” Faith-based organizations continue to experience disturbing and heart-wrenching “Zoombombing” incidents. Many Zoombombing incidents occur due to public posting of meeting links and often deficient procedures when hosting such videoconferencing events. Members are encouraged to review the security settings on their videoconferencing platforms and apply best practices and procedures to reduce the risk from this prevalent disturbance. Most teleconference platform vendors have published tips for maintaining secure meetings and FB-ISAO has previously shared tips for securing online events. In addition, members are encouraged to download the Center for Internet Security’s Videoconferencing Security Guide for more guidance and best practices for mitigating this threat.
Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including post-election activity. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 Rumor vs. Reality resources, including the Election Security Resource Library.
Continue enabling/encouraging remote staff to work securely. As organizations continue prolonged or permanent work from home models, it is important to promote a secure remote work environment. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.
Please contact our team with any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the ongoing threat of the COVID-19 pandemic and the approaching U.S. winter season and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE and anticipate this level being maintained until a decrease in the threat of the pandemic as vaccines are administered and a possible decrease of travel as the winter season and seasonal health threats pass. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist, particularly with respect to phishing using FB-ISAO’s likeness, the SolarWinds Orion compromise, and scams using first of the year observance “Days”. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for on-going considerations regarding the Cyber Threat Level.
COVID-19 Pandemic. As we continue through this pandemic, with jurisdictions around the country and internationally having moved back to more stringent local restrictions based on the continued surge of COVID-19, FB-ISAO continues to strongly encourage members “hold the line”. By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. Especially during the start of flu season, and the likely confluence of COVID-19 and annual influenza threats, members are advised to respect and adhere to FSLTT guidance.
The pandemic has continued to surge and, though a decrease in new cases was observed at the end of December, hospitalizations are at record highs and new cases and deaths remain very high, with potential increases following holiday travel. As of 30 Dec, we are approaching seven million new cases since our last assessment (from 12.5 million cases and 259,005 deaths, to almost 19.43 million cases and 337,419 deaths) and as of 28 Dec, the CDC reports that the national ensemble forecasting predicts significantly increasing numbers of anticipated deaths with “12,400 to 24,300 new deaths will likely be reported in the week ending January 23, 2021. The national ensemble predicts that a total of 383,000 to 424,000 COVID-19 deaths will be reported by this date.” Based on current behaviors and trends and the slow rollout of the vaccines, the surge in cases and deaths will continue through the winter before an anticipated tapering off as we move towards spring. The distribution of vaccines is underway in the United States and across the globe. While this is an exciting development, the distribution will take time and preventive measures are still important as we move into the new year. Additionally, the U.S. has seen considerable holiday season travel and there is a potential surge in cases from associated travel and events that could facilitate outbreaks in both new cases and resulting deaths. As recently observed, there are continued mutations of COVID-19, such as the variation from the United Kingdom, along with variations from South Africa and Nigeria. which is expected, that seem to more quickly spread the virus. The UK variant has been observed in the U.S., first in Colorado, then in California, and is likely already spreading elsewhere. As noted above, this current situation is further complicated by annual flu season, which typically peaks in February but can last as late as May, and which has the potential to complicate and further overwhelm healthcare professionals and facilities. Some have referred to this dual threat as a “twindemic” – meaning the continuation of the COVID-19 pandemic and the start of flu season. While twindemic concerns have decreased based in extensive seasonal flu vaccines and COVID-related restrictions, the potential remains throughout the flu season. Exacerbating these challenges is the increasing challenge of “pandemic fatigue,” as Americans grow tired of restrictions and seek to return to normalcy. While understandable, a decrease in vigilance and safety will only prolong recovery and a return to a more open and safe environment.
While there is a lot of conflicting reporting and varied assessments regarding the threat, and as both personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains a very active health threat with continued local outbreaks or broader flare-ups, with more potential concerns particularly if established best practices such as social distancing and mask wearing are not followed. FB-ISAO assesses that we remain in a high risk period.
Worth noting, many FBOs have begun or continued phased reopening and by applying smart practices and safety measures, they have been able to avoid outbreaks at their facilities and among their congregations. These successes are commendable but recognizing success should not lead to complacency or a false sense that the threat has passed. As we wrestle with pandemic fatigue and the continued surge in cases, we need to avoid the danger of overconfidence. Outbreaks can happen quickly and lead to closures and broad infections, as has been observed in communities and FBOs around the country. For those that have been successful, we encourage you to maintain discipline and hold on to your success.
As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.
Again, we encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.
Beyond the explicit health threat, we have other security concerns, including:
Protests (General). Since June, we have expressed concern over the potential that protest activities will continue to pose direct and indirect threats to FBOs. Observed throughout 2020 and noted in previous threat assessments and FB-ISAO reporting, whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. We continue to assess protests may pose direct and indirect risks to FBOs. With continued frustrations over the 2020 elections or with new frustrations that may develop with an incoming presidential administration, protests may again flare-up in the weeks ahead.
Protests (Inauguration Day and Ongoing Election Issues). While the U.S. general election is over, the pending Inauguration of Joe Biden and Kamala Harris is still being contested by some. With a high-profile election runoff in Georgia (05 Jan) and continued tensions leading up to the 20 Jan Inauguration, there are the continued possibility of election-related protests and conflict.
Vaccine-Related Protests. If an FBO becomes involved in vaccine distribution / administration, there is the potential that anti-vaccination protests could develop or that disturbed/disgruntled people attacking vaccination centers. We assess this to be a low-level threat but one for FBOs to consider as they may be involved in vaccine distribution and related activities.
Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. We have continued to see various protests and violent actions aimed at COVID restrictions and individuals enforcing safety procedures. Last updated on 01 Sep, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, some individuals have demonstrated heightened sensitivities regarding these issues and have not responded well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors. Effective ways to safely engage individuals and de-escalation training could help prepare frontline personnel.
Nashville Attack and Conspiracy Theories. While the motivation behind the Christmas Day 2020 Nashville attack is not clear, it is possible that conspiracy beliefs / misinformation-related anxiety (i.e., 5G concerns) could have played a part. Already, there has been misinformation alleging the explosion was an attempted government cover-up to hide election fraud, and other such theories. It is possible that, inspired by Nashville and perhaps with additional motivations such as concerns over the election, the Inauguration, and the COVID vaccines, others may be inspired to action. While FBOs may not be a primary target of such angst, they could be, and could also be indirectly targeted by way of location and neighboring facilities.
Hostile Events and theTargeting of FBOs, Both People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FB-ISAO Daily Journal, including hate crimes such as spray-painting hate symbols and the destruction of statues, arson and stabbings, it is important to note there are often connections between other issues and events and actions that may be taken at FBOs. Relating to protests and for other issues, and sometimes for no clear grievance, FBOs have been targeted by a variety of types of aggression and violence – at facilities, on statues, with threats, and more. This is unlikely to change in our current environment. Further, Europe has seen several low-tech terrorism attacks conducted by violent jihadists. While such attacks have not occurred recently in the U.S., terrorist propaganda continues to promote attacks and it is possible would-be jihadists could seek to conduct attacks domestically, and potentially aimed at FBOs, as has been observed overseas.
Concerns Regarding the Cyber Threat Level
FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and the pre-pandemic frequency of non-coronavirus lures is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic and associated concerns and distractions.Additionally, if you haven’t already, members are highly encouraged to familiarize themselves with the FB-ISAO Weekly Advisory for 23 December 2020 regarding phishing activity using the likeness of FB-ISAO that could potentially be related to #BlueLeaks. Finally, members are encouraged to review the #cybersecurity_general channel in FB-ISAO Slack for a general level of awareness to on-going cyber threats and incidents.
As we offer the constant reminder that WE ARE ALL TARGETS of opportunity, the following are general considerations for continued vigilance:
#BlueLeaks.We continue to stress the need to exercise vigilance when receiving communications purporting to come from any impacted organization, including FB-ISAO, fusion centers, and law enforcement entities (see FB-ISAO Weekly Advisory for 23 December 2020).
Phishing. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), whaling (targeting of high-profile targets), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat. Furthermore, while the traditional holiday shopping season is behind us, threat actors will likely attempt to leverage upcoming sales related to national observance “Day’s” such as Martin Luther King, Jr. Day, Valentine’s Day, Presidents’ Day (Washington’s Birthday), etc. Members are urged to treat every sale and solicitation communication with suspicion.
SolarWinds. While the recent compromise of the SolarWinds Orion product is presumed less likely to impact most FBO’s, a general threat still exists from similar third-party product/service compromises. Information on SolarWinds has been included in several editions of the Faith-Based Daily Journal and other TLP:WHITE summaries sent by FB-ISAO since December 13, 2020. Additionally, information is available in a CISA Insights: What Every Leader Needs to Know About the Ongoing APT Cyber Activity. Members are encouraged to exercise due diligence when implementing third-party products and services. Please contact our team for more information on vendor risk management.
On-going ransomware attacks with subsequent leaked data. Ransomware continues impacting organizations of all types and sizes. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs and discuss necessary actions should ransomware impact your organization or third party partners. For more on ransomware preparedness and response, see the Ransomware Guide from CISA and the MS-ISAC.
Continued “Zoombombing.” Faith-based organizations continue to experience disturbing and heart-wrenching “Zoombombing” incidents. Many Zoombombing incidents occur due to public posting of meeting links and often deficient procedures when hosting such videoconferencing events. Members are encouraged to review the security settings on their video-conferencing platforms and apply best practices and procedures to reduce the risk from this prevalent disturbance. Most teleconference platform vendors have published tips for maintaining secure meetings and FB-ISAO has previously shared tips for securing online events. Please contact our team with questions.
Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including post-election activity. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 resources, including the Disinformation Stops With You infographic to better understand the continued threats to the election process.
Continue enabling/encouraging remote staff to work securely. As organizations continue prolonged or permanent work from home models, it is important to promote a secure remote work environment. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.
Please contact our team with any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the ongoing threat of the COVID-19 pandemic and the approaching U.S. winter season and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE and anticipate this level being maintained until a decrease in the threat of the pandemic (such as via an effective vaccine being administered) and / or the end of the winter health threats. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist, particularly with respect to holiday shopping scams. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for on-going considerations regarding the Cyber Threat Level.
COVID-19 Pandemic. As we continue through this pandemic, with jurisdictions around the country and internationally having moved back to more stringent local restrictions based on the continued surge of COVID-19, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. Especially during the start of flu season, and the likely confluence of COVID-19 and annual influenza threats, members are advised to respect and adhere to FSLTT guidance.
The pandemic has not peaked and in fact, new cases and fatalities are at very high levels as cases continue to rise and at the time of this assessment, COVID cases continue to increase rapidly during the current surge, with recent record highs and daily deaths known increasing from what had been a generally flat pace of around 800 a day in the previous assessment to almost double that at the time of this assessment. As of 27 Nov, we are approaching four million new cases since our last assessment (from 8.68 million cases and over 225,084 deaths, to almost 12.5 million cases ansd 259,005 deaths) and as of 23 Nov, the CDC reports that the national ensemble forecasting predicts significantly increasing numbers of anticipated deaths with “10,600 to 21,400 new deaths likely to be reported in the week ending December 19, 2020. The national ensemble predicts that a total of 294,000 to 321,000 COVID-19 deaths will be reported by this date.” Based on current behaviors and trends, the surge in cases and deaths will continue into the winter with no clear end to that surge in sight until the effective distribution of vaccines to the population. Additionally, a potential surge in cases from Thanksgiving travel and events could further the surge in both new cases and resulting deaths. As noted above, this current situation is further complicated by annual flu season, which has the potential to complicate and overwhelm healthcare professionals and facilities. Some have referred to this as a potential “twindemic” – meaning the continuation of the COVID-19 pandemic and the start of flu season. Exacerbating these challenges is the increasing challenge of “pandemic fatigue,” as Americans grow tired of restrictions and seek to return to normalcy. While understandable, a decrease in vigilance and safety will only prolong recovery and a return to a more open and safe environment.
While there is a lot of conflicting reporting and varied assessments regarding the threat, and as both personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains a very active health threat with continued local outbreaks or broader flare-ups, with more potential concerns particularly if established best practices such as social distancing and mask wearing are not followed. FB-ISAO assesses that we remain in a high risk period.
Worth noting, many FBOs have begun or continued phased reopening and by applying smart practices and safety measures, they have been able to avoid outbreaks at their facilities and among their congregations. These successes are commendable but recognizing success should not lead to complacency or a false sense that the threat has passed. As we wrestle with pandemic fatigue and the continued surge in cases, we need to avoid the danger of overconfidence. Outbreaks can happen quickly and lead to closures and broad infections, as has been observed in communities and FBOs around the country. For those that have been successful, we encourage you to maintain discipline and hold on to your success.
As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.
Again, we encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.
Beyond the explicit health threat, we have other security concerns, including:
Protests. Since June, we have expressed concern over the potential of protest activities – whether relating to social justice, elections, or other topics – would continuen to post direct and indirect threats to FBOs. Observed throughout this period and noted in previous threat assessments and FB-ISAO reporting, whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. Given recent events, ongoing protests, a tense political election season, and other considerations, we continue to assess protests may pose direct and indirect risks to FBOs. With continued frustrations over the 2020 elections or with new frustrations that may develop with an incoming presidential administration, protests may again flare-up in the weeks ahead.
Hostile Events and theTargeting of FBOs, Both People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FB-ISAO Daily Journal, including hate crimes such as spray-painting hate symbols and the destruction of statues, arson and stabbings, it is important to note there are often connections between other issues and events and actions that may be taken at FBOs. Relating to protests and for other issues, and sometimes for no clear grievance, FBOs have been targeted by a variety of types of aggression and violence – at facilities, on statues, with threats, and more. This is unlikely to change in our current environment. Further, Europe has seen several low-tech terrorism attacks conducted by violent jihadists. While such attacks have not occurred recently in the U.S., terrorist propaganda continues to promote attacks and it is possible would-be jihadists could seek to conduct attacks domestically, and potentially aimed at FBOs, as has been observed overseas.
Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. We have continued to see various protests and violent actions aimed at COVID restrictions and individuals enforcing safety procedures. On 24 Aug, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
The Winter Holiday Season. As we move into fall, holidays and celebrations continue, with annual major events to include Hanukkah (10-18 Dec), Christmas Eve / Christmas Day (24, 25 Dec) and New Year’s events, the possibility of potential targeting of FBOs and people of faith may increase. A less direct threat to FBOs but one that may impact members and visitors of FBOs is the continued concern around increased domestic violence during the pandemic. Since at least this summer there have been concerns over the “shadow pandemic” of violence against intimate partners – particularly women. A recent post notes, “Cases of violence against women have surged in 2020. According to the United Nations Population Fund, for every three months the COVID-19 lockdown continues, an additional 15 million women are expected to be directly affected by violence.” Domestic violence and continued stress relating to new COVID restrictions may have cascading implications to FBOs.
Concerns Regarding the Cyber Threat Level
FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and the pre-pandemic frequency of non-coronavirus lures is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic and associated concerns and distractions. Furthermore, as the holiday shopping season is upon us, members are urged to treat every sale and solicitation communication with suspicion. Likewise, members are encouraged to review the #cybersecurity channel in FB-ISAO Slack for a general level of awareness to on-going incidents.
As we offer the constant reminder that WE ARE ALL TARGETS of opportunity, the following are general considerations for continued vigilance:
Gift Card Impersonation Scams. As highlighted in a recent FB-ISAO blog post, an increase in holiday bonus gift card impersonation phishing scams should be anticipated. Scammers are highly likely to use the “after such a challenging year” ploy to cajole COVID-weary employees or volunteers into unwitting accomplices to help the boss secretly procure gift cards to use for things like company bonuses or charitable donations. But whatever the financial or information-stealing theme, employees should be repeatedly reminded to never act on such requests. But since it may be excruciatingly difficult to tell the boss “no,” it is up to bosses and leaders to empower employees and volunteers to NOT act and to report said activity. Likewise, it is up to bosses and leaders to make any legitimate special, secret, or surprise requests in-person, and not through an email or text. For more tips on shopping safely this holiday season, visit the resources at NCSA and CISA.
Phishing. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), whaling (targeting of high-profile targets), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat. Phishing is most often associated and expected with financially motivated cybercrime attacks. However, advanced persistent threat (APT) groups motivated by espionage also leverage phishing, as highlighted by recently observed activity targeting entities – including religious organizations – associated with diplomatic relations. This recent report by Proofpoint describes activity targeting entities involved in diplomatic relations between The Vatican and the Chinese Communist Party.
On-going ransomware attacks with subsequent leaked data. Ransomware continues impacting organizations of all types and sizes, including a recently reported attack against televangelist Kenneth Copeland. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs and discuss necessary actions should ransomware impact your organization or third party partners. For more on ransomware preparedness and response, see the Ransomware Guide from CISA and the MS-ISAC.
Continued “Zoombombing.” Faith-based organizations continue to experience disturbing and heart-wrenching “Zoombombing” incidents. Many Zoombombing incidents occur due to public posting of meeting links and often deficient procedures when hosting such videoconferencing events. Members are encouraged to review the security settings on their video-conferencing platforms and apply best practices and procedures to reduce the risk from this prevalent disturbance. Most teleconference platform vendors have published tips for maintaining secure meetings and FB-ISAO has previously shared tips for securing online events. Please contact our team with questions.
Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including post-election activity. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 resources, including the Disinformation Stops With You infographic to better understand the continued threats to the election process.
#BlueLeaks. While there is nothing significant to report, we continue to stress the need to exercise vigilance when receiving communications purporting to come from any impacted organization, including FB-ISAO, fusion centers, and law enforcement entities.
Continue enabling/encouraging remote staff to work securely. As organizations continue prolonged or permanent work from home models, it is important to promote a secure remote work environment. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.
Please contact our team with any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the ongoing threat of the COVID-19 pandemic and the approaching U.S. winter season and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE and anticipate this level being maintained until a decrease in the threat of the pandemic (such as via an effective vaccine being administered) and / or the end of the winter health threats. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for more statements regarding the Cyber Threat Level.
COVID-19 Pandemic. As we continue through this pandemic, with the continued possibility of having to move back to more stringent local restrictions based on events in our communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. Especially during the start of flu season, and the likely confluence of COVID-19 and annual influenza threats, members are advised to respect and adhere to FSLTT guidance.
After the summer spike, we were encouraged by a slower trend of decreasing cases. However, continuing the trend since mid-September, cases continue to rise and at the time of this assessment, COVID-19 cases are increasing, with recent record highs and daily deaths staying generally flat with around 800 a day. As of 27 Oct, we are approaching two million new cases since our last assessment (from 6.87 million cases in the U.S. and 200,275 deaths to 8.68 million cases and over 225,084 deaths) and as of 17 Sep, the CDC reports that the national ensemble forecasting predicts increasing numbers of anticipated deaths. Forecasting (as of 19 Oct) “3,500 to 7,600 new deaths will likely be reported during the week ending November 14, 2020. The national ensemble predicts that a total of 235,000 to 247,000 COVID-19 deaths will be reported by this date.” The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks. As noted above, this is further complicated by annual flu season, which has the potential to complicate and overwhelm healthcare professionals and facilities. Some have referred to this as a potential “twindemic” – meaning the continuation of the COVID-19 pandemic and the start of flu season. Exacerbating these challenges is the increasing challenge of “pandemic fatigue,” as Americans grow tired of restrictions and seek to return to normalcy. While understandable, a decrease in vigilance and safety will only prolong recovery and a return to a more open and safe environment.
While there is a lot of conflicting reporting and varied assessments regarding the threat, and as both personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. With the resumption of K-12 and higher education, and some areas moving towards further “opening up” onsite learning, coupled with upcoming holidays that often include larger gatherings of friends and families, we remain in a higher risk period.
Worth noting, many FBOs have begun reopening over the last few months and by applying smart practices and safety measures, they have been able to avoid outbreaks at their facilities and among their congregations. These successes are commendable but recognizing success should not lead to complacency or a false sense that the threat has passed. As we wrestle with pandemic fatigue we also need to avoid the danger of overconfidence. Outbreaks can happen quickly and lead to closures and broad infections, as has been observed in communities and FBOs around the country. For those that have been successful, we encourage you to maintain discipline and hold on to your success.
As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.
Also important to note, as the 2020 election season winds up and we move into the post-election period, the pandemic, government data and guidance and other information continue to be politicized and questioned – some valuably, some politically, and some deliberately by those who seek to cause confusion and harm via disinformation activities. Again, we encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.
Beyond the explicit health threat, we have other security concerns, including:
Protests. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” In the ensuing months, we have seen that come to fruition and be further complicated by several additional incidents of excessive use of force resulting in death or serious injury as well as the 23 Sep Breonna Taylor decision. As we write this threat assessment update, protests have been ongoing in Philadelphia, Washington, D.C., and New York City, all relating to excessive use of force issues. At some of these prior and ongoing events, FBOs and people of faith have experienced acts of violence and vandalism from varied actors. Recent examples include election-related events in New York and recentincidents relating to the October protests in Philadelphia. Whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. Given recent events, ongoing protests, a tense political election season, and other considerations, we continue to assess protests may pose direct and indirect risks to FBOs.
Hostile Events and theTargeting of FBOs and African-American People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FB-ISAO Daily Journal, including hate crimes including spray-painting hate symbols and the destruction of statues, it is important to note there are often connections between other issues and events and actions that may be taken at FBOs. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” In the ensuing months, we have seen that come to fruition and be further complicated by several additional incidents of excessive use of force resulting in death or serious injury. Organizations supportive of protesters and those showing support for law enforcement, and organizations targeted for various other issues, and in some cases just as targets of opportunity and representing faith, have all been targeted by a variety of types of aggression and violence – at facilities, on statues, with threats, and more. This is unlikely to change in our current environment.
Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. We have continued to see various protests and violent actions aimed at individuals enforcing safety procedures. On 24 Aug, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
“Many… violent extremists, both domestic and international, are motivated and inspired by a mix of ideological, sociopolitical, and personal grievances against their targets, which recently have more and more included large public gatherings, houses of worship… Trends may shift, but the underlying drivers for domestic violent extremism—such as perceptions of government or law enforcement overreach, sociopolitical conditions, racism, anti-Semitism, Islamophobia, misogyny, and reactions to legislative actions—remain constant. As stated above, the FBI is most concerned about lone offender attacks, primarily shootings…” – FBI Director Wray, in remarks to the U.S. Senate in September 2020.,
U.S. Elections and Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, or relating to other emotional topics, can lead to a highly-charged atmosphere and pose associated risks to FBOs in the area which may not be directly targeted by indirectly implicated. As election-related activities and rhetoric increase in the final days of the election season and as we move to the post-election period and the possibility of delayed decisions of winners, it is possible that political rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO. Such incidents have occurred in October across the country, to include at events where faith-based groups showing support for a candidate have seen violence. Given the possibility of a prolonged period of time to identify winners from November’s elections, tensions may be elevated for some time, and after results are announced. FBOs should remain mindful of local events and tensions as they assess threats and security needs.
The Winter Holiday Season. As we move into fall, holidays and celebrations continue, with annual major events from Thanksgiving to December’s Hanukkah (10-18 Dec), Christmas Eve / Christmas Day (24, 25 Dec) and New Year’s events, the possibility of potential targeting of FBOs and people of faith may increase. At this point, it is difficult to anticipate how holiday events may be conducted, and what the political and protest environments may be like at those times.
Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and the pre-pandemic frequency of non-coronavirus lures is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.
As we offer the constant reminder that we are all targets of opportunity, the following are general considerations for continued vigilance:
Phishing. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat.
On-going ransomware attacks with subsequent leaked data. All organizations experience ransomware infections. Likewise, every organization carries a risk from a ransomware attack on a contracted third party. Data leaked from third parties could be used in spear phishing against all partners in the victim’s supply chain for a variety of goals, including distributing more ransomware. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs, or at least discuss necessary actions should ransomware impact your organization or one of your third party partners. For more on ransomware preparedness and response, see the Ransomware Guide from CISA and the MS-ISAC.
Continued “Zoombombing.” Faith-based organizations continue to experience “Zoombombing” incidents. While these incidents are indeed disturbing and often heart-wrenching, Zoom and other video-conferencing providers have made great strides to provide the settings, even default settings necessary to significantly reduce occurrences of such lewd and disrupting attacks. Many Zoombombing incidents occur due to public posting of meeting links and often deficient procedures when hosting such videoconferencing events. Members are encouraged to review the security settings on their video-conferencing platforms and apply best practices and procedures to reduce the risk from this prevalent disturbance. Most teleconference platform vendors have published tips for maintaining secure meetings and FB-ISAO has previously shared tips for securing online events. Please contact our team with questions.
Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including elections. Disinformation is being increasingly spread by various entities for disruption, deceit, and even to discredit legitimate government efforts, including the integrity of American elections. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 resources, including the Disinformation Stops With You infographic to better understand the evolving threats to the election systems.
#BlueLeaks. While there is nothing significant to report, we continue to stress the need to exercise vigilance when receiving communications purporting to come from any impacted organization, including FB-ISAO, fusion centers, and law enforcement entities.
Continue enabling/encouraging remote staff to work securely. As organizations continue prolonged or permanent work from home models, it is important to promote a secure remote work environment. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.
Please contact our team with any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the ongoing threat of the COVID-19 pandemic and the approaching U.S. winter season and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE and anticipate this level being maintained until a decrease in the threat of the pandemic (such as via an effective vaccine being administered) and / or the end of the winter health threats. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for more statements regarding the Cyber Threat Level.
COVID-19 Pandemic. As we continue through this pandemic, with the continued possibility of having to move back to more stringent local restrictions based on events in our communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. Especially during the start of flu season, and the likely confluence of COVID-19 and annual influenza threats, members are advised to respect and adhere to FSLTT guidance.
After the summer spike, we were encouraged by a slower trend of decreasing cases. However, at the time of this assessment, COVID-19 cases are increasing, and daily deaths are not notably decreasing. As of 24 Sep, there are over a million new cases since our last assessment (from 5.75 million cases in the U.S. and nearly 178,000 deaths to 6.87 million cases and 200,275 deaths) and as of 17 Sep, the CDC reports that the national ensemble forecasting “predicts that 3,000 to 7,100 new deaths will likely be reported during the week ending October 10, 2020. The national ensemble predicts that a total of 207,000 to 218,000 COVID-19 deaths will be reported by this date.” The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks. As noted above, this is further complicated by annual flu season, which has the potential to complicate and overwhelm healthcare professionals and facilities. Some have referred to this as a potential “twindemic” – meaning the continuation of the COVID-19 pandemic and the start of flu season.
While there is a lot of conflicting reporting and varied assessments regarding the threat, and as both personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. Especially with the resumption of K-12 and higher education, couple with upcoming holidays that often include larger gatherings of friends and families, we remain in a higher risk period. As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.
Also important to note, as the 2020 election season continues, the pandemic, government data and guidance and other information are being politicized and questioned – some valuably, some politically, and some deliberately by those who seek to cause confusion and harm via disinformation activities. Again, we encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.
Beyond the explicit health threat, we have other security concerns, including:
Protests. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” In the ensuing months, we have seen that come to fruition and be further complicated by several additional incidents of excessive use of force resulting in death or serious injury as well as the 23 Sep Breonna Taylor decision. FBOs and people of faith have experienced acts of violence and vandalism from varied actors. Whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. Given recent events, ongoing protests, a tense political election season, and other considerations, we continue to assess protests may pose direct and indirect risks to FBOs.
Hostile Events and theTargeting of African-American People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FB-ISAO Daily Journal, including hate crimes including spray-painting hate symbols and the destruction of statues, it is important to note there are often connections between other issues and events and actions that may be taken at FBOs. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” In the ensuing months, we have seen that come to fruition and be further complicated by several additional incidents of excessive use of force resulting in death or serious injury. Threats and hostile events have occurred at FBOs, to include predominantly African-American churches such as in Virginia and Kentucky. As Black Lives Matters broadly and Breonna Taylor decision-related and associated protests continue, this remains a concern. Underscoring these concerns, a 30 Aug arrest for attempted arson, burglary of a building and criminal mischief followed a Texas man’s suspected attempt to damage a predominantly African American church in Queen City, Texas. Other acts of vandalism and destruction have occurred at FBOs relating to racial issues.
Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. We have continued to see various protests and violent actions aimed at individuals enforcing safety procedures. On 24 Aug, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
“Many… violent extremists, both domestic and international, are motivated and inspired by a mix of ideological, sociopolitical, and personal grievances against their targets, which recently have more and more included large public gatherings, houses of worship… Trends may shift, but the underlying drivers for domestic violent extremism—such as perceptions of government or law enforcement overreach, sociopolitical conditions, racism, anti-Semitism, Islamophobia, misogyny, and reactions to legislative actions—remain constant. As stated above, the FBI is most concerned about lone offender attacks, primarily shootings…” – FBI Director Wray, in remarks to the U.S. Senate in September 2020.
U.S. Elections and Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, or relating to other emotional topics, such as the removal of statues and monuments, can lead to a highly-charged atmosphere and pose associated risks to FBOs in the area which may not be directly targeted by indirectly implicated. During both the Democratic and Republican political conventions, the community of faith was one of significant attention. As election-related activities and rhetoric increase in the final weeks of the election season, it is possible that political rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO. Additionally, given the possibility of a prolonged period of time to identify winners from November’s elections, tensions may be elevated for some time, and after results are announced. FBOs should remain mindful of local events and tensions as they assess threats and security needs.
The Winter Holiday Season. As we move into fall, holidays and celebrations continue, with annual major events from Thanksgiving to December’s Hanukkah (10-18 Dec), Christmas Eve / Christmas Day (24, 25 Dec) and New Year’s events, the possibility of potential targeting of FBOs and people of faith may increase. At this point, it is difficult to anticipate how holiday events may be conducted, and what the political and protest environments may be like at those times.
Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and the pre-pandemic frequency of non-coronavirus lures is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.
Comment on #BlueLeaks: While there is nothing significant to report, due to members’ close partnerships with all impacted entities, including FB-ISAO, fusion centers, and law enforcement, this incident still represents a threat from actors who may try to leverage those trusted relationships in the future to phish (email or phone) for more information. We continue to stress the need to exercise extreme vigilance when receiving communications purporting to come from any impacted organization, particularly ones in your region.
Additional considerations for continued increased vigilance:
Ransomware running rampant. Municipalities, education institutions, healthcare, and mega-corporations are not the only organizations to experience ransomware infections. During the past two weeks, multiple houses of worship and other faith-based organizations have fallen victim – see FB-ISAO Cyber Advisory, 17 September 2020 for a discussion on two houses of worship that we became aware of at that time. The scope of the attacks has included the encryption (file/system locking) component and the data breach/leak component, as has become commonplace in recent months. Prior to ransomware adopting the data breach paradigm, organizations likely only experienced a service impact while the third party victim recovered from the unfortunate incident. Nowadays, every organization carries a risk from a ransomware attack on a contracted third party. Data leaked from third parties could be used in spearphishing against all partners in the victim’s supply chain for a variety of goals, including distributing more ransomware. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs, or at least discuss necessary actions should ransomware impact your organization or one of your third party partners. This Forrester report provides some salient points about dealing with ransomware.
Zoombombing. Faith-based organizations continue to experience “Zoombombing” incidents. While these incidents are indeed disturbing and often heart-wrenching, Zoom and other video-conferencing providers have made great strides to provide the settings, even default settings necessary to significantly reduce occurrences of such lewd and disrupting attacks. Many Zoombombing incidents occur due to public posting of meeting links and often deficient procedures when hosting such videoconferencing events. A spokesman involved in an incident over the weekend took onus by stating, “As a result we have increased our security and changed our processes and are confident that all future meetings can go ahead without any further issues.” Members are encouraged to review the security settings on their video-conferencing platforms and apply best practices and procedures to reduce the risk from this prevalent disturbance. Most vendors have published tips for maintaining secure meetings and FB-ISAO has previously shared tips for securing online events. Please contact our team with questions.
Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including elections. Disinformation is being increasingly spread by various entities for disruption, deceit, and even to discredit legitimate government efforts, including the integrity of American elections. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 resources, including the Disinformation Stops With You infographic to better understand the evolving threats to the election systems.
Emotet – Beating a Dead Trojan Horse. Despite the title, Emotet is far from dead. The title is meant to grab your attention because the persistence of this epoch of everybody’s everlasting email enemy remains worthy of mention, again. There have been numerous reports from fusion centers, partner ISAC’s, and others reporting a notable increase in Emotet phishing activity during the past week. Emotet is a virulent email threat often used to spread additional malware, including ransomware. Emotet is complex in its functionality and crafty in its campaigns. One of the most notable behaviors is its ability to hide in plain sight by hijacking existing email threads and attachments to emulate something you expect to receive in your inbox. If you receive messages with attention grabbing subjects such as, “Termination list,” “Can’t call you,” “Annual bonus report is ready,” “Payment Remittance Advice” or similar invoice-themed, it might just be Emotet. If you are seeing those subjects or similar, please report what you are seeing to FB-ISAO. Likewise, members are reminded to keep staff and volunteers aware of this and similar phishing attacks. The NCSAM resources below are great tools to help with security awareness.
Zerologon/Microsoft Netlogon Remote Protocol Vulnerability. “Zerologon,” a vulnerability affecting Microsoft’s Netlogon Remote Protocol that Microsoft provided a patch for in August is getting a lot of attention from both the security community and attackers. Likewise, there has been significant exploit activity observed concerning this critical vulnerability. Multiple alerts, advisories, and research have been published urging administrators to “patch now.” This vulnerability is rather trivial to exploit and a successful compromise will take complete control over your network domain. Given the advisories, a CISA Emergency Directive 20-04 – “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday,” and what some researchers consider the most dangerous bug revealed this year, members are urged to ensure their IT teams/managed service providers (MSPs) address this vulnerability now, if they have not already. Microsoft has published updated guidance on applying the patch.
We offer a constant reminder that we are all targets of opportunity. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat.
Continue enabling/encouraging remote staff to work securely. As organizations consider a prolonged or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure remote work environment. Staff who continue working remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination. Likewise, with October being National Cybersecurity Awareness Month (NCSAM), members are encouraged to check out associated NCSAM resources, “Do Your Part. #BeCyberSmart.”, and join FB-ISAO as an NCSAM 2020 Champion!
Please contact our team with any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 30 Sep 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.
Reopening America. Across the country, many FBOs have reopened or are preparing to reopen, while others have elected to continue to suspend in-person activities (some determining to do that through at least the rest of 2020). As we continue in the process of reopening, with the possibility of having to move back to more stringent restrictions or delays in continued reopening based on events in our local communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives.
While recent COVID-19 numbers are somewhat encouraging, there are many ways that minor progress can quickly evaporate as some return to work and places of worship and to the many that returning to schools across the country. As of 26 Aug, there are 5.75 million cases in the U.S. and nearly 178,000 deaths and as of 21 Aug, the CDC reports that the “national ensemble forecast predicts that 3,700 to 9,600 new COVID-19 deaths will be reported during the week ending September 12 and that 187,000 to 205,000 total COVID-19 deaths will be reported by that date.” While personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.
Regarding the Physical Threat Level, coronavirus remains a serious threat in the United States, with various states and local communities experiencing increasing infection numbers and with local outbreaks related to gatherings at FBOs in various areas around the country and observed internationally.
A health threat poses a challenge in assessing a threat level. In accordance with FB-ISAO’s threat levels, in many respects we are still in a “CRITICAL” phase, given that the pandemic remains very active and that further outbreaks are expected as reopening continues. The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks. This is further complicated by annual flu season, which has the potential to complicate and overwhelm healthcare professionals and facilities. Some have referred to this as a potential “twindemic” – meaning the continuation of the COVID-19 pandemic and the start of flu season.
Beyond the explicit health threat, we have other security concerns, including:
As noted above, SEVERE means we believe an event is highly likely. With respect to our current environment and this assessment, we assess an event to be one of two types:
Local Outbreak. The possibility of local COVID-19 outbreaks remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups, as has been observed in various local outbreaks (see CDC case study, Arkansas, March 2020).
Hostile Events. In addition to routine threats, additional stressors may increase challenges for FBOs. That concern is raised in former CISA Assistant Director Harrell’s 08 Apr letter to the faith-based community. There are also other challenges that could lead to hostile events or provide opportunities for individuals or small groups to conduct acts of violence.
Protests & Targeting of African-American People and Facilities. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” In the ensuing months, we have seen that come to fruition and be further complicated by several additional incidents of excessive use of force resulting in death or serious injury. Threats and hostile events have occurred at FBOs, to include predominantly African-American churches such as in Virginia and Kentucky. As Black Lives Matters and associated protests continue, this remains a concern. Further, additional protests continue in parts of the country and may pose indirect threats and associated risks to FBOs.
Protests & Targeting Other People of Faith. As domestic protests demand law enforcement resources, some extremists have suggested using that as an opportunity for attacks against people of faith – and synagogues specifically. We have seen this occur internationally and remain concerned about the possibility of domestic incidents.
September’s Jewish High Holidays. September will see the major Jewish holidays of Rosh Hashanah (18-20 Sep) and Yom Kippur (27-28 Sep). As FBOs reopen and seek to conduct gatherings, many are considering holding large outdoor events. While this reduces risks associated with COVID-19, large outdoor mass gatherings present complex security events and potentially enticing targets for those that would seek to do harm. Major religious celebrations are easily identified and can be used to conduct media attention-getting attacks. Last year’s Poway Synagogue shooting (California) occurred on the last day of Passover. Members are encouraged to balance the desire for gatherings with their ability to effectively secure such events and are strongly encouraged to discuss plans with local law enforcement and fusion centers to gain local expertise regarding threats, security, and other considerations that may inform decisions and planning.
Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others.
Political Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, or relating to other emotional topics, such as the removal of statues and monuments, can lead to a highly-charged atmosphere and pose associated risks to FBOs in the area which may not be directly targeted by indirectly implicated. During both the Democratic and Republican political conventions, the community of faith was one of significant attention. As election-related activities increase in the months ahead, especially after the Labor Day weekend, it is possible that political rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO.
The Labor Day weekend holiday, as with the 4th of July, this year will see smaller and fewer events but nonetheless, mass gatherings – perhaps FBO picnic or other local community activities – may have high visibility. Combined with some of the additional challenges and complexities of our current environment, FBOs hosting events or in proximity to planned events, should consider threats and security to their people and places.
There continue to be varied incidents, attacks, and threats against retail establishments and personnel relating to enforcement of safety protocols such as required wearing of masks and maintaining adequate social distancing, or the wearing of masks that incite responses from others (such as KKK or Nazi masks). This has continued with regular frequency, though FB-ISAO is unaware of any known incidents that have occurred at FBOs. On 24 Aug, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
As we continue to reopen and reenter FBOs, recognize the potential for violence based on the stressors of COVID-19, the threats from violent extremists, and the longstanding issues that have resulted in previous acts of violence at houses of worship.
There continues to be extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]).
Beyond the immediate challenges, while we have yet to emerge from the “first wave,” there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world continue on an upward trajectory and it is expected that the number of cases in many areas will continue to increase in the coming weeks.
Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and is consistent with a general “GUARDED” posture. While there is still no shortage of coronavirus-themed cyber attack campaigns, non-coronavirus lures have more or less returned to pre-pandemic frequency. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.
Comment on #BlueLeaks: While there have been no significant updates, due to members’ close partnerships with all impacted entities, including FB-ISAO, fusion centers, and law enforcement, this incident still represents a threat from actors who may try to leverage those trusted relationships in the future to phish (email or phone) for more information. We cannot stress enough the need to exercise extreme vigilance when receiving communications purporting to come from any impacted organization, particularly ones in your region. For members’ awareness, FB-ISAO has been contacted by the FBI Houston Division, who is investigating this matter.
Additional considerations for continued increased vigilance:
Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including elections. Disinformation is being increasingly spread by various entities for disruption, deceit, and even to discredit legitimate government efforts, including the integrity of American elections. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 resources, including the Disinformation Stops With You infographic to better understand the evolving threats to the election systems.
Ransomware running rampant. From municipalities and education institutions to healthcare and mega-corporations, no organization is safe from ransomware. In recent months, more and more ransomware attacks are including a data breach component. Prior to ransomware adopting the data breach paradigm, partner organizations likely only experienced a service impact while the third party victim recovered from the unfortunate incident. Nowadays, every partner organization carries a risk from a ransomware attack on a third party. Data leaked from third parties could be used in spearphishing against all partners in the victim’s supply chain for a variety of goals, including distributing more ransomware. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs, or at least discuss necessary actions should ransomware impact your organization or one of your third-party partners. This Forrester report provides some salient points about dealing with ransomware.
We are all targets of opportunity. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging coronavirus themes will continue for the foreseeable future.
Continue enabling/encouraging remote staff to work securely. As organizations consider a prolonged, perpetual, or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure remote work environment. Staff who continue working remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.
As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) continues to support the efforts of our broader Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group has developed and released the FB-ISAO Pandemic Reopening Reentry Checklist and continues in close collaboration as we assess appropriate needs for revisions and updates. Interested in helping? Contact our team to find out how!
Please contact our team with any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 31 Aug 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.
Reopening America. Across the country, many FBOs have reopened or are preparing to reopen, while others have elected to continue to suspend in-person activities (some determining to do that through at least the rest of 2020). As we continue in the process of reopening, with the possibility of having to move back to more stringent restrictions or delays in continued reopening based on events in our local communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives.
Several states and local communities are continuing experience new highs, though some of “hotspots” seem to be leveling off, in identified infections and deaths and CDC expects the death rate to steadily continue to climb, stating (as of 20 Jul) that “there will likely be between 160,000 and 175,000 total reported COVID-19 deaths by August 15th.” While personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO strongly discourages defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.
Regarding the Physical Threat Level, coronavirus remains a serious threat in the United States, with various states and local communities experiencing increasing infection numbers and with several recent local outbreaks related to gatherings at FBOs, such as:
Pastor: 40 infected with coronavirus after church event; An Alabama pastor says more than 40 people have been infected with the coronavirus after attending a multi-day revival event at his Baptist church (ABC News, 27 Jul)
A health threat poses a challenge in assessing a threat level. In accordance with FB-ISAO’s threat levels, in many respects we are still in a “CRITICAL” phase, given that the pandemic remains very active and that further outbreaks are expected as reopening continues. The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks.
Beyond the explicit health threat, we have other security concerns, including:
As noted above, SEVERE means we believe an event is highly likely. With respect to our current environment and this assessment, we assess an event to be one of two types:
Local Outbreak. The possibility of a local COVID-19 outbreak remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups.
Hostile Events. In addition to routine threats, additional stressors may increase challenges for FBOs. That concern is raised in Assistant Director Harrell’s 08 Apr letter to the faith-based community. There are also other challenges that could lead to hostile events or provide opportunities for individuals or small groups to conduct acts of violence.
Protests & Targeting of African-American People and Facilities. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” Sadly, that has come to fruition. Threats and hostile events have occurred at FBOs, to include predominantly African-American churches such as in Virginia and Kentucky. As Black Lives Matters and associated protests continue, this remains a concern.
Protests & Targeting Other People of Faith. As domestic protests demand law enforcement resources, some extremists have suggested using that as an opportunity for attacks against people of faith – and synagogues specifically. We have seen this occur internationally and remain concerned about the possibility of domestic incidents.
Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others.
Political Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, or relating to other emotional topics, such as the removal of statues and monuments, can lead to a highly-charged atmosphere and pose associated risks to FBOs in the area which may not be directly targeted by indirectly implicated. As election-related activities increase in the months ahead, it is possible rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO.
There continue to be varied incidents, attacks, and threats against retail establishments and personnel relating to enforcement of safety protocols such as required wearing of masks and maintaining adequate social distancing, or the wearing of masks that incite responses from others (such as KKK or Nazi masks). This has continued in recent weeks, though FB-ISAO is unaware of any known incidents that have occurred at FBOs. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
As we continue to reopen and reenter FBOs, recognize the potential for violence based on the stressors of COVID-19, the threats from violent extremists, and the longstanding issues that have resulted in previous acts of violence at houses of worship.
There continues to be extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]).
Beyond the immediate challenges, while we have yet to emerge from the “first wave,” there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world continue on an upward trajectory and it is expected that the number of cases in many areas will continue to increase in the coming weeks.
Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and is consistent with a general “GUARDED” posture. While there is still no shortage of coronavirus-themed cyber attack campaigns, non-coronavirus lures also continue to populate the cyber threat landscape. While we assess remaining at “GUARDED” is still reasonable at this time, increased vigilance is recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.
Update on #BlueLeaks: The FBI office in Houston continues to investigate. There was a report earlier this month that German authorities seized the server containing the leaked data. Likewise, Netsential has provided stakeholders with a notification of measures it has implemented and plans to implement to better secure its systems. Otherwise, as previously reported the #BlueLeaks data breach incident directly affects FB-ISAO due to the compromise of Netsential’s systems that maintain our membership and content delivery portal. That fact, plus our own partnerships with the other impacted entities, and many member’s close relationships with the same impacted entities, including fusion centers and law enforcement, still represent a very real and present threat from actors who may try to leverage those trusted relationships to phish (email or phone) for more information. Additionally, as impacted entities report on their analysis of the stolen data, a commonly captured non-public data point used for verification/validation includes registrants’ supervisor’s name and contact information. Therefore, it is likely threat actors could leverage supervisor information to lend greater credibility to the guise or to use as an additional target set. We cannot stress enough the need to exercise extreme vigilance when receiving communications purporting to come from any impacted organization, particularly ones in your region.
Additional considerations for continued increased vigilance:
Ransomware running rampant. From municipalities and education institutions to healthcare and mega-corporations, no organization is safe from ransomware. In addition to becoming a direct victim, faith-based organizations that outsource IT services to a managed service provider (MSP) can also become an indirect victim with direct impacts when the MSP is infected. Compromising MSPs to systemically infect multiple organizations has been an increasing trend over the past year. Members are encouraged to review ransomware and data breach playbooks/policies/procedures with staff and MSPs, or at least discuss necessary actions should ransomware impact your organization. This Forrester report provides some salient points about dealing with ransomware.
Cyberactivity spurred by ongoing #BlackLivesMatter protests. While most cyber activity surrounding protests have been targeting law enforcement and local government websites, FB-ISAO emphasizes the need for continued vigilance. Website defacements and denial-of-service (DoS) attacks have been the primary attack types thus far, but cyber threat actors are also known to aggrandize headlines to proliferate malware. Likewise, as #BlueLeaks represents, hacktivists are actively seeking to compromise organizations that are likely to contain troves of law enforcement sensitive documents for the purpose of public disclosure/dissemination.
Contact tracing scams. Scammers are pretending to be contact tracers and sending fake text messages. Keep in mind that legitimate contact tracing messages are intended to be factual and will not ask for personal information or include a link to click. Multiple federal agencies have partnered to alert the public on avoiding contract tracing scams, including the FTC and the Justice Department.
Mis/disinformation is still a concern. Dis/misinformation continues to spread regarding coronavirus related matters and protest activity. Disinformation is spread by various entities for disruption, deceit, and even to discredit legitimate government efforts. It is imperative to think critically and continue verifying everything. FB-ISAO continues to encourage members to treat every coronavirus-themed communication or protest related subject with suspicion.
We are all targets of opportunity. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging coronavirus themes will continue for the foreseeable future.
Continue enabling/encouraging remote staff to work securely. As organizations consider a prolonged, perpetual, or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure remote work environment. Many organizations and people were thrust into remote working. Those who continue working remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. StaySafeOnline maintains its COVID-19 Security Resource Library with an up-to-date compilation of resources to enable safe telecommuting.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.
As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) continues to support the efforts of our broader Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group has developed and released the FB-ISAO Pandemic Reopening Reentry Checklist and continues in close collaboration as we assess appropriate needs for revisions and updates. Interested in helping? Contact our team to find out how!
Please contact our team with any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:
The TIG has determined to maintain the Physical Threat Level to “SEVERE.” SEVERE means an event is highly likely. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 31 July 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.
The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.
Reopening America. Across the country, many FBOs are reopening or preparing to reopen, while many have elected to continue to suspend in-person activities. As we continue in the process of reopening, with the possibility of having to move back to more stringent restrictions or delays in continued reopening based on events in our local communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives.
Many states are seeing their highest daily rates of infection and CDC expects the death rate to steadily continue to climb, with “between 130,000 and 150,000 total reported COVID-19 deaths by July 18th.” While personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups. As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO strongly discourages defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.
Regarding the Physical Threat Level, as SLTT governments continue to “reopen” their communities and as FBOs are reopening and beginning to welcome back the public, coronavirus remains a serious threat in the United States, with many states experiencing increasing infection numbers and with several outbreaks related to gatherings at FBOs. A health threat poses a challenge in assessing a threat level. In accordance with FB-ISAO’s threat levels, in many respects we are still in a “CRITICAL” phase, given that the pandemic remains very active and that further outbreaks are expected as reopening continues. The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks.
Beyond the explicit health threat, we have other security concerns, including:
As noted above, SEVERE means we believe an event is highly likely. With respect to our current environment and this assessment, we assess an event to be one of two types:
Local Outbreak. The possibility of a local outbreak remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups. FBOs have been associated with several local outbreaks in recent weeks.
Hostile Events. In addition to routine threats, additional stressors may increase challenges for FBOs. That concern is raised in Assistant Director Harrell’s 08 Apr letter to the faith-based community. There are also other challenges that could lead to hostile events or provide opportunities for individuals or small groups to conduct acts of violence.
Protests & Targeting of African-American People and Facilities. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” Sadly, that has come to fruition. Threats and hostile events have occurred at FBOs, to include predominantly African-American churches such as in Virginia and Kentucky.
Protests & Targeting Other People of Faith. As domestic protests demand law enforcement resources, some extremists have suggested using that as an opportunity for attacks against people of faith – and synagogues specifically. Overseas, this has been observed, for example, in Turkey, where Christians and Christian facilities have been targeted.
Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others.
Political Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, can lead to a highly-charged atmosphere. As election-related activities increase in the months ahead, it is possible rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Some of those challenges were observed at a June rally for President Trump in Arizona. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO.
During reopening, there have been varied attacks and threats against retail establishments and personnel relating to enforcement of safety protocols such as required wearing of masks and maintaining adequate social distancing. This has continued in recent weeks, be it there have been less observed instances and known incidents at FBOs. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
As we reopen and reenter FBOs, recognize the potential for violence based on the stressors of COVID-19, the threats from violent extremists, and the longstanding issues that have resulted in previous acts of violence at houses of worship.
There continues to be extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]).
Beyond the immediate challenges, there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world – including very significant ongoing outbreaks in Brazil and other parts of Latin America – are on an upward trajectory and it is expected that the number of cases in many areas will continue to increase in the coming weeks.
The 4th of July holiday, while likely with smaller and fewer events this year, always has security concerns due to mass gatherings and high visibility. While events may be fewer and smaller, combined with some of the additional challenges and complexities of our current environment, FBOs hosting events or in proximity to planned events, should consider threats and security to their people and places.
Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and is consistent with a general “GUARDED” posture. While there is still no shortage of coronavirus-themed cyber attack campaigns, non-coronavirus lures continue to populate the cyber threat landscape. While we assess remaining at “GUARDED” is still reasonable at this time, increased vigilance is recommendeddue to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations. In addition, as previously reported the recent #BlueLeaks data breach incident directly affects FB-ISAO due to the compromise of the technology service provider (Netsential) that manages our membership and content delivery portal. That fact, plus our own partnerships with the other impacted entities, and many member’s close relationships with the same impacted entities, including fusion centers and law enforcement, present a very real and present threat from actors who may try to leverage those trusted relationships to phish (email or phone) for more information. We cannot stress enough the need to exercise extreme vigilance when receiving communications purporting to come from any impacted organization, particularly ones in your region.
Additional considerations for continued increased vigilance:
Cyberactivity spurred by ongoing protests over the death of George Floyd. While most cyber activity surrounding protests have been targeting law enforcement and local government websites, FB-ISAO emphasizes the need for vigilance. Website defacements and denial-of-service (DoS) attacks have been the primary attack types thus far, but cyber threat actors are also known to aggrandize headlines to proliferate malware. Likewise, as #BlueLeaks represents, hacktivists are actively seeking to compromise organizations that are likely to contain troves of law enforcement sensitive documents for the purpose of public disclosure/dissemination.
Contact tracing scams. Scammers are pretending to be contact tracers and sending fake text messages. Keep in mind that legitimate contact tracing messages are intended to be factual and will not ask for personal information or include a link to click. The FTC has updated guidance on avoiding fake contact tracers.
Mis/disinformation is still a concern. Dis/misinformation continues to spread regarding coronavirus related matters and protest activity. Disinformation is spread by various entities for disruption, deceit, and even to discredit legitimate government efforts. Social media organizations such as Twitter are striving to flag potentially harmful and misleading posts. Likewise, several states are working to fight the scourge. It is imperative to think critically and continue verifying everything. FB-ISAO continues to encourage members to treat every coronavirus-themed communication or protest related subject with suspicion.
We are all targets of opportunity. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging coronavirus themes will continue for the foreseeable future.
Continue enabling/encouraging remote staff to work securely. As organizations consider a prolonged, perpetual, or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure remote work environment. Many organizations and people were thrust into remote working. Those who continue working remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. StaySafeOnline maintains its COVID-19 Security Resource Library with an up-to-date compilation of resources to enable safe telecommuting.
Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.
As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) continues to support the efforts of our broader Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group has developed and released the FB-ISAO Pandemic Reopening Reentry Checklist and continues in close collaboration as we assess appropriate needs for revisions and updates. Interested in helping? Contact our team to find out how!
Please contact our team with any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19, #protest_awareness, #cybersecurity and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.
This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.
