Summary of Findings
COVID-19 vaccine research will remain a top target for APT groups throughout 2021. Threats to individual health privacy escalate with ransomware attacks against a wider range of medical institutions.
U.S. Treasury warns of ransomware using various COVID-19 vaccine lures.
Botnets shift attack focus to high-value targets and mass spam.
Bitcoin and Ethereum valuation increases will drive more attacks on cryptocurrencies.
SolarWinds compromise reporting implicates a single APT actor in a two-stage operation.
Separate supply chain attacks show APT groups will continue developing TTPs to compromise trust.
COVID-19 research will remain a top target for APT groups in 2021
Since March 2020, many APT groups have been reported targeting COVID-19 research. This risk will likely increase throughout 2021, as nations roll out vaccine programs and produce further research. The following are some examples:
Reporting has implicated the Lazarus APT group in three separate attacks related to COVID-19 research, including one attack on a pharmaceutical company on September 25, 2020, and another on an unnamed government health ministry on October 27.
In June 2020, Lazarus also conducted a broad phishing campaign targeted six nations on multiple continents whose governments have announced significant fiscal support to individuals and businesses impacted by the pandemic.
Healthcare-related ransomware attacks increased in 2020 compared to 2019
Reporting from Checkpoint detailed recent growth trends in healthcare-related ransomware attacks, speculating that attackers are taking advantage of hospitals’ willingness to meet ransom demands so they can avoid disruptions, especially during the COVID-19 outbreak. Canada and Germany saw the greatest increase in these specific types of attacks. Europe, East Asia, and Latin America were the regions most affected. It is unlikely that these trends indicate selective adversary targeting. Rather, the data very likely reflect variations in information security practices across different nations.
Ransomware operators use photos to escalate threats to patient privacy
After the recent compromise of a plastic surgery clinic, attackers threatened to release before and after photos of its celebrity patients. In a similar attack, a hacker threatened to reveal sensitive mental health records – in this case, going directly to the patients to extort payment.
U.S. Treasury warns of high risk for ransomware using COVID-19 vaccine lures
According to the Financial Crimes Enforcement Network, threat actors will almost certainly increase attacks on financial institutions using varying COVID-19 vaccine lures to distribute a range of malware. Related attacks have already been detected. The greatest risk is very likely ransomware, and the greatest impact could be disruption and denial/degradation of services. The lures, which are applicable to anyone, are likely to attract special attention and cause anxiety that threat actors will leverage to their advantage for initial delivery of commodity malware. Risk very likely extends beyond the financial sector.
Multiple threat actors focus attacks on high-value targets using Emotet and mass spam
A new Emotet campaign that likely began in December 2020 targeted systems in Lithuania at the National Center for Public Health (NVSC) and in several municipalities. The Lithuania attack used phishing for delivery to people involved with coordinating the pandemic response. Concurrently, Emotet was reported to be used in a generic mass spam campaign.
Historically, Emotet has used simple spam to target a broad range of victims. But over the past year, EclecticIQ analysts observed threat actors developing highly specific TTPs with Emotet. In one instance, a targeted attack at the United Nations. The most recent operations use multiple TTPs, both generic and targeted, over a short period. This trend indicates Emotet developers are diversifying the types of threat actor groups they partner with to co-opt attacks.
Jump in cryptocurrency valuation expected to drive more attacks
EclecticIQ analysts have high confidence that threat actors will advance attacks against cryptocurrency wallets and brokers, following stunning valuation increases in Bitcoin (BTC) and Ethereum (ETH). A recent attack used fake companies in social engineering efforts to persuade victims to give up information and compromise their accounts. Meanwhile, the U.S. Office of the Comptroller of the Currency has announced federal support of blockchain-based cryptocurrency, possibly expanding financial opportunities for threat actors.
Reporting on SolarWinds supply chain compromise implicates single APT group in a two-stage operation using at least four malware families
U.S. law enforcement and intelligence agencies reported the campaign was almost certainly espionage and is “likely Russian in origin.” Further analysis indicates it is probable that a small fraction of SolarWinds customers in the United States received further infiltration by the APT group. Remaining customers downloading the initial trojanized SolarWinds application may be victims of extensive reconnaissance but did not receive the same second-stage payloads.
APT groups will continue developing TTPs focused on supply chain attacks
The North Korean APT group Thallium exploited and trojanized a private stock investment messaging application in a software supply chain attack targeting financial information. The attack produced a shell on victim systems and exfiltrated data over an FTP channel. The objectives of the attack are still unclear, but it provided a high level of access to victims and possibly to proprietary information.
This blog is part of an ongoing series of biweekly intelligence updates from EclecticIQ. Each blog covers the latest cybersecurity news, industry trends, and current and emerging threats based on our experts’ interpretation of data and other source materials. We may provide updates on the COVID-19 pandemic situation as well.