Covid-19 Threat Intelligence Blog

EclecticIQ Pandemic Intelligence Update - Week 16

April 14, 2020

EIQ_corona_FC_CTI_report_blogimage16As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.

This is the fourth report in a weekly series of updates to inform of important developments to COVID-19-themed attacks. 

Key Findings
  • Risk escalates to the remote workforce as a result of vulnerabilities to popular software and compromised accounts now for sale on the Dark Web. 
  • The FBI has issued a specific BEC (Business Email Compromise) alert related to COVID-19 themed attacks. 
  • Updated reporting from the ransomware attack on a UK company working on a SARS-CoV2 vaccine has stated it will not pay the ransom. Any data exfiltrated will be released publicly for other threat actors to pick through. 
  • Data indicates TTPs responsible for the largest volumes of attacks are now recycled at greater rates, indicating TTPs are becoming standardized. 
  • Further APT activity targets the United States and China. 
  • Reporting indicates many COVID-19 attacks are aimed at obtaining strategic remote access to be further exploited later. 
Analysis 

Threats Escalate for the Remote Workforce 

The US Department of Homeland Security and UK National Cyber Security Centre issued a joint alert regarding Advanced Persistent Threat (APT) activity possibly targeting remote workers. The APT groups are said to be using similar COVID-19 themes as described in previous weekly updates. The more advanced groups use more convincing landing pages that collect credentials from targeted individuals.  EclecticIQ Fusion Center expects government and healthcare entities will be targeted most due to the strategic roles these institutions play in the pandemic response. They are likely to have intelligence that competitor countries are interested in. These institutions may want to start reviewing logs daily for network  connections to unverified domains and flag them for follow up. 

Zoom is a popular app aiding the remote workforce surge and was recently dissected by Citizen LabThe main findings of their evaluation included cryptographic algorithms that were vulnerable to snooping and mishandling of data via the main application that allows attackers to obtain further information from the Zoom session that could allow them to pivot onto the internal network. Zoom is actively working to strengthen security as Zoom develops its security program. Organizations may want to look for a backup option for media conferencing to increase resilience and create redundancy. 

A report surfaced this week showing login details of verified Zoom accounts which were posted on Dark Web sitesThis supports the theory that most attacks are aimed at providing strategic access, which can be sold and further actioned by other groups at a later dateAccess to these accounts may allow threat actors to take advantage of some of the vulnerabilities discovered by Citizen Lab and assist attackers in penetrating the networks of the corresponding account owners. Zoom users should use unique, very strong passwords. Organizations may further consider a password change in lieu of this breach. 

Malicious Zoom apps are the primary delivery vector for attacks on remote workersThese apps can come with malicious configurations that allow threat actors to attack user’s mobile device. Companies should direct employees to only use official app marketplaces. 

A report this week detailed a new scanner that was built specially to find default login credentials in administrative web interfaces.  Attacks that carry from this reconnaissance stage are high-risk; successful compromise could result in high-level privileges which can be used to easily pivot to other parts of the network.  Remote infrastructure is under increased load from the increase in remote work and these attacks will further stress security. 

Companies are urged to review their web-facing administrator accounts and revise any default passwords in use as general best-practice. 

Attack Alert Regarding BEC Scams Targeting COVID-19 

(https://www.fbi.gov/news/pressrel/press-releases/fbi-anticipates-rise-in-business-email-compromise-schemes-related-to-the-covid-19-pandemic).  At least one group is targeting cloud-based emailin the hope that it is less hardened and easier to exploit for their scams, which rely on social engineering and bypassing spam filters to increase delivery rates. Researchers have discovered phishing exploit kits that provide most of the software and tooling needed to initiate these attacks. The kits lower the technical barrier to entry and help the scams appear more realistic. Businesses should practice increased vigilance during this time by verifying suspicious communications via a separate channel to ensure authenticity. 

Update on Targeting of Hammersmith Medicines Research LTD

We detailed an attack on Hammersmith Medicines Research LTD (HMR), a company working on COVID-19 vaccines, by Maze ransomware in our second weekly reportRecently HMR’s managing director statedWe have no intention of paying. I would rather go out of business than pay a ransom to these people. Any data exfiltrated from HMR will be exposed publicly by the threat actors, but no further release has been made outside of the original partial release from March 14 2020. The release of HMR data could expose further vaccine information that could be used in further disinformation campaigns on social media platforms.

Mass Attacks Are Recycling Tactics, Techniques and Procedures (TTPs) at a Greater Rate

Attacks are patterning more heavily and copying one another, producing attacks with less ingenuity. This is supported by a recent report from ThreatPost that details recent and widespread attacks that use common TTPsHeavily reused TTPs are easier to mitigate with existing COVID-19 specific threat intelligence. 

Over the past week, EclecticIQ Fusion Center has seen evidence of common attack patterns shifting heavily towards the United States. The country leads virus cases on a per nation basis and is likely to get worse by spreading into the Southern Hemisphere - as the virus migrates to seasonally vulnerable populations. 

A recent report by Checkpoint analyzing large swaths of newly registered domains with strong COVID-19 themes, show they are currently 50% more likely to be malicious than others. A trend of increased TTP reuse could indicate that the common, wide-net spam attacks are reaching a barrier, in terms of TTP capabilities and the Pyramid of Pain. Threat actors carrying out these types of spam operations are responsible for the largest COVID-19-themed attack volumes currentlyHeavy recycling of TTPs may indicate new attacks will begin to slow. 

EclecticIQ Fusion Center have not observed significant new developments in capabilities regarding MaaS (Malware-as-a-Service) TTPs. Europol has provided a good high-level summary of popular COVID-19-related TTPs observed thus far.   

Threat Actors Are Migrating Target Audiences 

EclecticIQ Fusion Center have observed COVID-19 themed TTPs shift to targeting more victims in the Southern hemisphere. Analysts expect this trend to continue. The greatest risk will be to Australia and specific countries in South America.  

In 2019, ESET identified Peru, Mexico, Argentina, Brazil, and Colombia as having the highest rates of cyber-attacks in South Americaranked in the same order. EclecticIQ Fusion Center expect risk from COVID-19-themed attacks to parallel this evaluation. The pandemic enables the same threat actors to continue attacks using further lure material with victims who are new to the recycled attack patterns. Threat actors in the region have a history of heavily targeting banking information. COVID-19 attacks in Central and South America are highly likely to focus on credential compromise for financial gain.  

From the end of March 2020, Australia is reporting a surge in attacks using many of the same TTPs we have earlier described.   

Reporting indicates groups from nations in Africa operating COVID-19-themed attacks with speculative links to Russian operations. The use of distant (both geographically and geopolitically) proxy groups may help further obscure the source of social media disinformation campaigns and likely enables operations to mobilize faster. 

APT Activities Target China and The United States 

APT Activities Target the United States 

According to threat research from Prevailion more than 30 US State and Local governments have already been victims of nation-state actors looking to spread malicious information and disruption, related to COVID-19The most affected areas include: Texas, New York, Ohio, California, Florida, Washington, DC, Alabama, North Carolina, Louisiana, and Connecticut. Darkreading shows the trend is rapidly increasing. 

NASA Sees Rapid Increase of Targeted Activity 

The advisory cites dramatic increases in phishing, malware, and anti-mitigation.  It cites a growing threat from “Nation-States” and specifies increased risk to its remote workforce. NASA is not likely to have strategic information regarding COVID-19. The attacks are likely opportunistic attempts at compromise, designed to take advantage of chaos and hoping victims will lower their guard. 

APT Activities Target China 

Qihoo360, A China-based security company reported that 174 VPN servers attached to Chinese Government networks have been attacked since mid-March 2020.  Qihoo has attributed the attacks to DarkHotel, a group believed to operate from South Korea, claiming they used VPN zero-days to breach Chinese government agencies. This activity may be linked to a broad info-gathering operation aimed at COVID-19 strategic intelligence.  VPN servers provide trusted and restricted access to internal sensitive information.  In our Second weekly report, we detailed another attack by Dark Hotel against the WHO (World Health Organization).  If the same threat actor is behind both attacks, the combination of both information repositories is more likely to produce a strategic advantage, by providing insights into the COVID-19 response of various nations. 

Attacks for Strategic Exploitation 

While many attacks will be designed to capitalize on the immediate crisis, the more sophisticated attackers will take advantage of preoccupied organizations that have lowered their guardMuch of the current malicious COVID-19 themed activity is aimed at implanting malware inside a targeted company's infrastructure that provides remote access for later exploitation. This indicates that further, more consequential attacks are likely as threat actors set up future attacks with specific objectives that use data obtained from initial attacks seen thus far in our weekly updates. 

A recent, large-scale attack against an Italian email provider highlights possible strategic exploitation. The attack also compromised the source code of other web applications in use by the company. The response to COVID-19 in Italy is likely to become a politically divisive issue, due to the severity of the intranational pandemic there. Mass email compromises and subsequent “leaks” were able to manipulate the 2016 election in the US by exploiting divisive national issues. 

Another recent event with possible strategic motivations involved a Russian telecommunications company hijacking large portions of internet traffic via BGP. It is not the first time this has happened. Such a move could provide Russia with operational intelligence on divisive issues across Social Media that allow it to advance its operations already embedded in that space (https://www.rand.org/content/dam/rand/pubs/research_reports/RR2200/RR2237/RAND_RR2237.pdfhttps://www.cyberscoop.com/russia-ira-troll-farm-disinformation-outsourced/https://www.aljazeera.com/news/2020/03/russian-social-media-accounts-sow-election-discord-200305191111967.html). 

COVID-19 Privacy Exploitation  

In the wake of the global effects of COVID-19 there will likely be an increased threat to personal privacy. Early in the pandemic, there were warnings of expanding surveillance powers. There are now several reports that confirm technology efforts are underway that may affect everyone’s privacy. 

Spyware vendor NSO Group has said it will offer Coronavirus tracking technologies to monitor location and proximity of masses of people. Apps are under development specifically to track coughs. 

Google is also offering to apply its existing location tracking capabilities for government projects to monitor mass movement. There remain various legal barriers to fully implement the above, but these reports all demonstrate Proof-of-Concepts (POCs) that have massive privacy implications.  Governments will have increased incentive to adopt mass tracking abilities to respond better to future outbreaks and the public will be more willing to accept them.