EclecticIQ
March 30, 2020

EclecticIQ Pandemic Intelligence Update - Week 14

EclecticIQ Pandemic Intelligence Update week 14As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.

This is the second report in a weekly series of updates to inform of important developments to COVID-19-themed attacks. 

Executive Summary

EclecticIQ Fusion Center analysts continue to observe high volume attacks featuring commodity malware operated by threat actors with less skill. This trend was highlighted in our initial report from last week. This week’s report highlights increasing APT activity as more advanced actors consolidate markedly around COVID-19 themed attacks.

Key Findings
  • APT attacks are targeting strategic COVID-19 related intelligence of other countries or using COVID-19 as an opportunity to compromise broad sets of victims.
  • New evidence this week shows that commodity-type attacks are increasingly focusing on mobile devices, particularly Android.
  • Reports of attacks against hospitals are increasing and attacks are escalating to physical threats.
  • Analysis of Command and Control infrastructure shows threat actors are attempting to penetrate the World Health Organization (WHO), potentially in an effort to acquire vaccine information or health statistics from rival countries.
  • Disinformation and attacks weaponizing false information on social media are increasing.
  • Threat actors attempted to spoof CDC (Centers for Disease Control and Prevention) communications in a second attack that does not appear to be related to the first attack -the week of March 23, 2020.
  • Based on global COVID-19 attack activity, analysts assess with medium confidence that the U.S. will see an increase in attacks as national infection volume builds and the release of the U.S. stimulus package presents new exploitation opportunities in misinformation and phishing attacks.
Analysis

APT attacks have increased after a period of less activity, after countries began implementing national lock-downs. The attack alerts result from analyzing activities from this week and last week. The earliest APT attacks may have begun in mid-February. The increased activity patterns parallel global quarantine efforts, as cybersecurity reporter Catalin Cimpanu with ZDNet noted recently, “the most malware campaigns using coronavirus themes came from China, all being sent out over the past two weeks, just as China had pulled out of its own COVID-19 crisis”.

Attempts to Penetrate the WHO’s Internal Network
On March 13 2020, Alexander Urbelis, a cybersecurity expert, alerted on an attack against the WHO (World Health Organization). Urbelis attributed the activity to DarkHotel, believed to operate from the Korean Peninsula. Attribution is not firm. Evidence of Korean language settings in associated malware artifacts and limited C2 clusters of Korean origin are the primary exhibits for attribution. DarkHotel is a persistent group and current events make the WHO a high-value target. The attack Kill-Chain was designed to harvest login information.  The WHO contains information on COVID-19 that many nations are currently interested in. The information could be used in disinformation attacks to manipulate adversaries or could provide a competitive edge: economic or military. Analysts forecast further attacks against the WHO are likely as APT activity continues to increase from a relative lull earlier, when nations began implementing various lock-downs. 

Coordinated Disinformation Campaign Against Ukraine

The Hades APT group (possibly Russian State-sponsored) targeted Ukraine in a spearphishing attack. Malicious documents were sent to targets, disguised as emails coming from the Center for Public Health and/or the Ministry of Health of Ukraine. The emails propagated false information about five cases of coronavirus in the Ukraine and led to violent protests in parts of the country. On the same day, a plane carrying evacuees from China arrived in Ukraine. ZDNet stated that “[…] the email campaign was followed by a flood of messages on social media claiming the COVID-19 disease had arrived in the country.” Recent geopolitical interests in Ukraine from Russia strongly support Russian attribution. Creating panic might serve as a distraction to enable strategic manoeuvring elsewhere.

Possible Attack from North Korea Against South Korea

Security firm IssueMakersLab reported a document containing BabyShark malware -a dropper written in Visual Basic. The malware is associated with the Kimsuky Intrusion Set (North Korea). The documents are “believed to have been sent to South Korean officials” and purport to detail South Korea’s response to the COVID-19 outbreak. The attack appears to be aimed at information gathering, likely to provide North Korea with a strategic edge over its neighbor, if they can gain and manipulate official COVID-19 related information.

Open Ended Attacks From APT41 (China)

According to FireEye, the most malware volumes using coronavirus themes came from China, all being sent out over the past two weeks, just as China had pulled out of its own COVID-19 crisis. FireEye did not observe APT41 attacks between February 2 and February 19, 2020 that could be the result of the COVID-19 related quarantines.

The attacks do not show strong victim patterning; targeting a wide array of countries and industries. The operation uses non-targeted phishing TTPs coupled with common exploits CVE-2019-19781; RCE as “Root” and CVE-2020-10189; RCE as “SYSTEM”. The operation was only observed executing the reconnaissance and exploitation phases of the Kill Chain. Further malware, beyond initial droppers, was not observed, and further lateral movement - characteristic of APTs, was not observed. This leads EclecticIQ analysts to posit that further attacks are likely, since these initial efforts amount to substantial operational investment by an APT group. Analysts expect further attacks will be executed to complete the Kill Chain.

FireEye reports, “This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years”.

Companies exposed to CVE-2019-19781 anytime between January 20 and March 11 or to CVE-2020-10189 from March 8 through today, should proactively audit and hunt through Windows logs on systems with end-user email access for instances of RCE, correlated to unauthorized privilege escalation events. Any matches should be investigated.

This week analysts observe further evidence of threat actors developing and bolstering COVID-19-specific C2

Threat actors are brute-forcing home routers and reconfiguring DNS to point to compromised websites pushing the Oski information-stealing trojan. Victims are redirected to an IP address controlled by the attackers, which prompts a download for a “COVID-19 information app”.

Home users can prevent a compromise of their router by:

  1. Stetting a strong admin password (at least 12-characters)
  2. Enabling 2-Factor-Authentication (if supported)
  3. Disabling (or at least limiting) remote access

Rising US Infection Count Leads to Rising Cyber Attacks Targeting US Citizens and Organizations

Victims in the US are likely to see increased attacks as the US accumulates the highest number of infections of the global total. US citizens are among the wealthiest, and coupled with a possible atmosphere of anxiety, makes them attractive targets.

An operation was recently discovered that exploited an open redirect from the website of the U.S. Department of Health & Human Services. The COVID-themed phishing attack spread - Racoon Stealer; a trojan that exfiltrates credentials to various financial assets.

On March 27, the US passed a stimulus package. 7 days before the US Senate passed the emergency relief package, the FBI Internet Crime Complaint Center (IC3) warned about emails “asking [victims] to verify […] personal information in order to receive an economic stimulus check”.

Another Wave of Attacks Exploiting the CDC

The IC3 also warns of lures pertaining to:

  • Charitable contributions
  • General financial relief
  • Airline carrier refunds
  • Fake cures and vaccines
  • Fake testing kits

Mobile Attacks Increasing Via Malicious Apps

Many of the reports from this week focus on mobile device attacks - specifically via redirecting users to malicious apps. These attacks are increasing with App usage related to public COVID-19 information seeking.

These attacks all rely on the victim downloading a malicious app from an unofficial website. Users can effectively guard against these attacks by only downloading apps from certified stores. Organizations should watch for user mobile traffic to unknown destinations that results in a "*.apk" download.

Hospitals Attacked

This week analysts observed increased targeting of hospitals specifically with ransomware. EclecticIQ analysts continue to observe commodity malware representing the largest proportion of payloads in COVID-19-themed attacks.

On March 24 2020, multiple hospitals in Spain reported receiving COVID-19-themed phishing lures asking for WHO donations. Security analysts determined the emails launched Netwalker ransomware.

On March 26 2020, Ryuk targeted an unnamed healthcare provider in the US.

On March 18 2020, Maze operators released stolen data from drug testing company Hammersmith Medicines Research.

In a further escalation of attacks against hospitals, the FBI successfully disrupted an attempted bomb attack against a hospital in Missouri. Agents believe the suspect deliberately decided to time the attack with COVID-19 panic.

Further Disinformation on Social Media

Following last week’s publication, Bellingcat produced another detailed report that illuminates some of the patterns behind disinformation attacks that are COVID-19-specific. According to Bellingcat, these types of attacks normalize the distortion of reality allowing threat actors to more easily manipulate masses of people.

Sophos provided details on a specific disinformation attack that falsely claimed generic masks saved lived from COVID-19 in order to boost sales of poor quality masks. This activity may be linked to the FBI advisory on counterfeit goods, above.

Analysts observed two new TTPs used in COVID-19 themed attacks that use disinformation. An extortion-type attack presents an escalation to physically infect family members of victims who receive these non-targeted emails.

Fake corona-antivirus software was pushed to victims in attacks last week. These attacks use very basic and common TTPs lacking sophistication. EclecticIQ Platform contains over 70 unique TTPs since 2018 that weaponized fake Antivirus products. These attacks demonstrate that COVID-19 continues to draw attention from many threat actors. Attacks show no signs of slowing down.