As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.
This is the third report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.
Key Findings
- Wide net phishing attacks are increasingly effective at bypassing security controls to increase spam delivery rates.
- The United States is seeing increased attacks resulting from political discourse over a national stimulus package, as predicted in the report from last week.
- Alerts on attacks to the healthcare industry escalate. Ransomware is still the primary concern.
- Previous APT campaigns against healthcare may lead to further breach of healthcare networks.
- The attack perimeter of remote work infrastructure has increased and faces increased risk from various attacks.
- Evidence shows multiple nations are supporting operations consolidating around the manipulation of misinformation.
Analysis
Attacks featuring common TTPs (Techniques, Tactics, and Procedures) and commodity Malware-as-a-Service (MaaS) are continuing unabated.
Spike in Phishing Campaigns in the Wake of US Financial Relief Package
As predicted in last week’s report, the United States has already started seeing a spike in COVID-19 ‘Financial Relief’ phishing attacks, resulting from recent political discussions over a massive stimulus package to the population.
Initial attacks observed spoof email components and obfuscate command and control (C2) traffic more effective than the attack patterns we described in our initial COVID19 phishing investigation. The operations appear to target a variety of individuals, but Proofpoint notes that US healthcare has been targeted with similar ‘relief’ lures by at least one campaign. The attacks direct healthcare recipients to a page for their Microsoft credentials. There is no report of further malware. A targeted credential harvesting campaign such as this, is very likely to result in further attacks that weaponize some of the compromised credentials for further penetration into healthcare networks, in order to glean strategic COVID-19 information that can either be manipulated or used for strategic advantage among sparring nations. Evidence of strategic and specific COVID-19 APT attacks was introduced in EclecticIQ´s report from last week.
Attack Alerts Expanded for Healthcare Industry
Microsoft alerted to increased attacks against hospitals this week. Much of the risk derives from ransomware like Ryuk, Sodinokibi, and Maze. These families currently exploit perimeter defenses (i.e. remote gateways and portals) to then elevate privileges and move laterally to internally-controlled command infrastructure (e.g. Active Directory, Administrator workstation, remote deployment software), and using this elevated position to thoroughly encrypt across as much of the network as possible. The malware has data-stealing capabilities enabled through the use of sophisticated loaders like Trickbot and Emotet. Disabling macros within Microsoft Office and using a default whitelisting policy can be effective against many of these malware loaders.
Maze ransomware was recently used to encrypt cyber insurance provider Chubb headquartered in the US. The attack may not have exploited a specific COVID-19 theme, but highlights the sensitivity and importance of PII data. Information gained from the attack could be used in further attacks targeting individuals or medical institutions as clients of Chubb. Importantly, Chubb supports a range of Healthcare IT services that include “Medical Device / Pharmaceutical Industry Support”, “Patient Administration Solutions”, and “Patient Care Solutions”. The effects of a further attack during the pandemic could impact medical supply chains or IT systems that support hospital operations.
Further Risk to Hospitals from Previous APT Activity
Evidence presented in last week’s report highlighted APT attacks that may be specifically motivated to obtain strategic COVID19 intelligence of other countries.
The World Health Organization published a list of organizations that are working on potential COVID-19 vaccines. EclecticIQ analysts assess with moderate confidence that these will be key targets for malicious activity as work on the vaccine progresses.
On 30th March, the Federal Bureau of Investigation (FBI) reissued a private industry notification from 2016. The notification warns of Kwampirs malware “Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries, including Healthcare Sector”.
Five days earlier, the FBI issued a flash with Yara rules to identify Kwampirs Malware. On the same day, ReversingLabs shared an analysis detailing several Kwampirs samples.
EclecticIQ Fusion Center analysts note that in 2018 Symantec reported about an APT group - dubbed OrangeWorm - that deployed Kwampirs RAT targeting “healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry".
Beside the similarities in targeted verticals and capability, analysts cannot confirm if current activities are linked to Sandworm at the time of reporting.
Risk Increases to Remote Work Environments as Attacks Shift Focus
Reports are significantly increasing detailing attacks that specifically take advantage of the remote workforce induced by the COVID-19 pandemic. These attacks have the potential to lead to leaking sensitive data or enabling espionage.
The Increased Remote Workforce Increases Attack Perimeters During the Pandemic
On 23rd March, researcher Matthew Hickey tweeted that
“#Zoom chat allows […] to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users”
EclecticIQ analysts observed that the so-called SMB relay attack was hyped by some media outlets as a zero-day vulnerability in Zoom. While the rendering of the UNC path can be considered a flaw in the Zoom client, the transmission of a user's login name and their NTLM password hash is built into Window´s Challenge/Response (NTLM) authentication protocol.
Organization should move to Kerberos as the authentication protocol and optionally implement SMB signing.
Local Privilege Escalation and Code Injection for Mic and Camera Access in Zoom MacOS Client
On 30th March, security researcher Patrick Wardle published two vulnerabilities affecting the Zoom MacOS client. The flaws which require local access may allow an attacker to gain root access and provide access to a victim’s microphone and camera.
On 1st April, Zoom addressed the UNC link issue, the MacOS-related flaws and other findings reported by researchers in the past weeks.
A best-practice guide for controlling Zoom participation for end-users can be found here.
EclecticIQ analysts believe that teleconferencing software is increasingly exposed to attacks. As more people are induced to work remotely, use of this software rise, effectively increasing the attack surface to threat actors. Attacks on the remote workforce are of increased concern during various “lock-down” orders, when employees are already strained by limited resources.
Analysts hypothesize that the heightened use of video and audio-conferencing tools has led to closer and more frequent inspection/review by security professionals. It is plausible that other vulnerabilities in conferencing solutions will be disclosed in the coming weeks.
Misconfigured Helpdesk Services Provide New Attack Delivery and Exploitation Vectors
Ethical Hacker Inti De Ceukelaire reported that „288 of 1.972 [scanned] Atlassian instances were open to the public. Misconfigured remote helpdesk portals may allow a threat actor to probe an organization´s helpdesk environment, and to access Personally Identifiable Information (PII) and other sensitive information.
As a best practice, organizations should pentest their public facing infrastructure designed to support remote work according to the comprehensive OWASP guide. At a minimum, organizations should implement multi-factor authentication, use very strong passwords, and follow punctual software updates.
Mobile devices continue to be a popular attack choice and threat actors are attempting to trojanize Android apps with adware. Users should not install applications acquired through un-official websites.
Mass Phishing Attacks Evolve to Bypass Security Devices More Effectively.
EclecticIQ Analysts continue observing attacks that exploiting COVID-19 anxiety and that invest more energy into bypassing security devices. In the week-13 update analysts saw threat actors investing most of their effort into simple social engineering, spoofing domains and IP addresses and stuffing headers with keywords to undermine spam-scoring assigned by antivirus algorithms. Collectively, these TTPs allow the malicious emails to reach inboxes with much higher success rates. The great majority of phishing attacks observed this week use similar and popular COVID-19 lure-themes for social engineering:
- https://www.welivesecurity.com/2020/04/01/coronavirus-con-artists-continue-spread-infections/
- https://www.bleepingcomputer.com/news/security/phishing-attack-says-youre-exposed-to-coronavirus-spreads-malware/
- https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/
- https://www.proofpoint.com/us/threat-insight/post/threat-snapshot-coronavirus-related-lures-comprise-more-80-percent-threat
A Distinct Pattern of Disinformation Activity is Taking Focus
Chinese COVID-19 disinformation campaigns began as early as January 2020. Initial campaigns appear to be a strategic move to moderate geopolitical blame. China may be furthering disinformation to boost its global image in what is being called “mask diplomacy”. By offering resources or “gifts”, they may be manipulating perception. Gift giving such as this is a very popular move in game theory.
These moves could also play into China’s push for “reinvention” of the internet. The effort is being led by Huawei. Given that Huawei is also building most of the world's 5G infrastructure, this could give them significant reach into global mobile-based communication.
A report last week from BellingCat regarding the effects of Social Media disinformation campaigns, builds further on activity reported this week of persistent Russian intrusion sets are using troll-farms to politicize vaccines. That article, in turn, builds from original ideas presented in this publication.
COVID19 has captured a global audience. The post-mortem analysis of the pandemic will introduce a significant political angle in many nations, especially those that struggled more through it. The global public is now focused on vaccine news. Exploiting and manipulating vaccine information via Social Media platforms may be a highly effective way of encouraging internal social unrest and political division. These efforts may allow nations like Russia to manipulate the political activity of foreign nations to its geopolitical benefit.
Proofpoint research supports further evidence, showing recent activity on Social Media that was aimed to amplify conspiracy theories reportedly aimed at increasing political division.
Nations show consolidated interest in exploiting COVID-19 disinformation These developments may play a role in affecting national elections, or manipulating medical supply chains. Russia is known to have interfered in the 2016 election using similar divisive TTPs across a range of platforms.