EclecticIQ Pandemic Intelligence Update - Week 17
As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.
This is the fifth report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.
- Healthcare becomes the dominant focus of more attacks, increasing relative to past weeks.
- New COVID-19 APT activity includes attacks against industrial control systems in Azerbaijan.
- A Zoom zero-day for MacOS and Windows was released presenting heightened risk to the remote workforce environment.
- COVID-19 disinformation grows/intensifies globally via social media with escalating effects.
- A Business Email Compromise (BEC) scam alert was issued that specifies risk to medical supply shipments.
New patterns from reporting this week indicate that threat actors commanding mass-spam attacks, the type that were used earlier against masses of individuals worldwide, are now specifically targeting the healthcare industry. Victims range across the globe, but hospitals are a focus.
Healthcare is the Focus of a Range of Attacks
Many healthcare attacks currently use a CVE from Microsoft office - CVE-2012-0158 with a malicious attachment via phishing. The attacks are capable of launching a range of commodity malware (Malware-as-a-Service or opensource). The highest risk reported includes variants of Ryuk ransomware. Attacks against the healthcare industry are using more thoughtful lures, which include spoofing the WHO and medical-supply-shipment information.
The attacks exploit vulnerabilities on systems dating back to at least 2012, indicating widespread implementation of outdated healthcare IT infrastructure. The attacks are easily mitigated with more updated technology and software. An upgrade would provide increased functionality and cost savings in security mitigation.
The increased targeting of hospitals is further validated by a recent large breach and release of US doctor records. The availability of these records increases the risk to healthcare even further. Individual doctors could be targeted in additional spearphishing attacks with the aim of penetrating internal healthcare networks. APTs may use the information for targeting highly specialized individuals that may have access to strategic vaccine knowledge.
Hack and Dump of COVID-19 Research Papers
This week a threat actor(s) released a trove of research articles related to past research of coronaviruses. The records were obtained by unknown means. The threat actor appears to be an activist of free information and the dump was first posted to reddit via an English-speaking account that appears genuine and not a ‘throw away’ or bot account. The dump contains over 5000 COVID-19 related research papers contained in over 6Gb. Sampled articles were all from scholarly peer-reviewed journals of medicine. The report collection is mostly dated post-2000, but some reports date back to the late 1980’s.
Growing COVID19 ‘hacktivism’, the type that motivated the research dump, is indicative of growing global interest in COVID19 data. Threat actors can use these dumped articles as seeds to spin-off false interpretations and spread further disinformation via social media. There is a specific increased risk to social media and individuals based in the Unities States. Current conspiracy theories are likely to draw attention to these articles that attempt to spin the facts in ways that are manipulative to political agendas.
Effects of Disinformation are Escalating Globally
Bellingcat has provided an article this week that spells-out the subtlety involved with different groups online that amplify bad information. Some of the groups may not intentionally distribute bad information or may reference it in ways that further amplify content. Other groups are probably seeding malicious content intentionally with bots. After passing certain thresholds, the content gets picked up and gains further traction with human accounts.
The implications of COVID-19 disinformation are potentially serious and we are starting to see more of the fallout from these seeds of bad information. If threat actors can broadcast bad information from “trusted” accounts, then the resulting audience is far more likely to take the bad information seriously without verifying it further. This happened earlier with the TikTok social media platform. Failure to implement HTTPS allowed threat actors to intercept TikTok traffic and spoof bad information from “popular and verified accounts”, which were able to “pollute the internet with misleading facts”.
Fires were set by vandals to a handful of 5G towers throughout Europe and mainly in the Netherlands. The fires appear to be started resulting from COVID19 conspiracy theories circulating online. “Swedish data company Earhart Business Protection Agency, which tracks online disinformation, [reported] the first video directly linking coronavirus to 5G appeared online in early January in the form of a lecture that discussed the influence of electromagnetic radiation on pandemics”. Some hospitals in the region rely on 5G connections for their infrastructure because of the increased data capacity. The escalations of misinformation, described above, demonstrate significant impact and costs that can result from the type of misinformation spreading online related to COVID-19.
Threat Actors Drive Further Opportunistic COVID-19 Themed Attacks
Now that mass spam attacks have begun recycling TTPs at a greater rate, EclecticIQ analysts are observing further evidence of opportunistic attacks branching out from the initial spam attacks as a way of maintaining novelty and effectiveness. There is also evidence that mass spam attacks may be starting to wane. This trend may be gleaned from big-data trends highlighted by KrebsonSecurity. Malicious domain registrations with keywords related to COVID-19 appear to be declining from a current peak near the end of March 2020. This is measured by both new domain registrations and appearance of similar domains in client traffic.
Analysts expect further opportunistic attacks will trend in similar countries that experienced the worst of the outbreak (US, Italy, UK, and Spain). When hackers recently accessed staff mailboxes at Italian bank Monte dei Paschi, earlier this week, the threat actors immediately started sending voicemails to clients; likely using information from the breach to make the phishing attack more convincing. The bank withheld technical details of the attack, which took place on March 30 and wasn’t reported by Reuters until April 11. Timely reporting, notification, and intel-sharing is crucial for organizations at this time, to help mitigate the increased threat presented by COVID-19 themed cyberattacks. The increased reuse of TTPs that we reported in last week’s report, may be driving threat actors to perform additional opportunistic attacks, to obtain new material to use in novel attacks.
BEC Scams Alert Regarding Medical Supplies
Concerns over medical supply shipments are creating many opportunities for BEC scams. Last week, EclecticIQ analysts reported an official alert to BEC scams generally looking to take advantage of COVID-19. This week, the FBI released an alert stating that government agencies have already been victims of BEC scams that used medical supply shipments as themes to perform social engineering and to divert payments. It is plausible that threat actors are targeting the US with these BEC attacks specifically as a result of recent supply issues and trade feuds in the US. Threat actors will continue to exploit vulnerabilities and anxieties created by the chaos surrounding the pandemic. They are proving adept at adjusting attacks to different regions
Zero day for Zoom increases the risk to remote workers.
Two recent zero-days were announced for sale allegedly exploiting Zoom; one for Windows and one for MacOS. The Windows version purportedly provides remote code execution (RCE); the MacOS version purportedly does not conduct RCE and reportedly requires the attacker to already be a “participant” in the Zoom meeting.
Given the history of Zoom security issues recently, and in combination with the sub-par encryption protocol analysed by Citizen Lab, the zero-days, if validated and exploited, are likely to pose increased risk to organizations of strategic interest to Nation-States and their APT proxies. There is a very limited Window in which threat actors can use this exploit, so it makes sense to hit a limited, strategic target of high-interest, during a time when remote work is seeing an increase of sensitive traffic, due to the pandemic. No reputable sources have thus far analysed the exploits. EclecticIQ analysts are not aware of exploitation attempts in the wild.
If organizations question their risk to these unknown exploits, the recommended best practice is to segment Zoom traffic from the internal network as much as possible. One method could include a dedicated system loaded with the Zoom application, segmented within a DMZ, and isolated from the internal network. Employees would be required to remotely access the server over a dedicated connection to access the Zoom application. Place increased monitoring and detection on the server responsible for Zoom traffic. Use the Zoom server to focus threat-hunting efforts. Monitor connections to the server and flag any suspicious traffic or unauthorized changes to the system configuration for further investigation. Look at any files coming into the server. Correlating Zoom traffic with email logs can help further mitigate common spearphishing delivery vectors that are more popular. A threat actor may email a victim and use social engineering to get them to start a Zoom call as a way to initiate a malicious connection.
New COVID-19 Related APT Activity
Cisco Talos released a report detailing attacks on private-sector industrial control systems within Azerbaijan starting in February 2020. Attacks in April began implementing a malicious COVID-19 theme for the delivery phase of the attack. The malware used is PoetRAT, a new custom RAT. The attackers spoofed Azerbaijan-government domains and performed spearphishing against unreported victims. The main malware implant was installed in multiple stages, with multiple tools to enable increased dwell time and probing of the target(s). The payload has FTP exfiltration capabilities, which allow for large, rapid data transfer.
Summary of APT activity Specific to COVID-19.
Malwarebytes published a brief of APT activities seen to date and relevant to the pandemic. Some of this activity in their report follows from data discovered during our investigation into initial COVID-19-themed phishing. For all the APT activities described, the delivery phase TTPs are almost identical for each group; they all share template injection for spearphishing. Template injection significantly boosts the effectiveness of emails by making them appear more realistic. The groups also use similar payloads - all designed for remote access. The payloads are all unpacked in a way that maintains obfuscation and successfully defeats many security devices.
Konni (thought to be North Korea-based) targeted various organizations (historically and recently: US, China, Japan, Vietnam, Russia, Nepal, India, Romania, Kuwait, and countries in the Middle East). VirusTotal shows an initial sample starting 14.03.2020. It was submitted via an API, which would suggest the origin network was somewhat advanced; tailored with some degree of automated threat detection and response (IDS/IPS). This points to organizations higher in the industry in terms of development and maturity. It may have also been purposely done to hide the origin of the submission.
Kimsuky (thought to be North Korea-based) using CVE-2017-0199 to exploit South Korea with CVE-2017-0199 to launch spyware capable of extracting architecture info, local system info, Apple Pay info, Network info, Firewall info, access to the camera, audio, and Bluetooth. Activities started in “early March” 2020.
Calypso (thought to be North China-based) targeted “Mongolian public sector” via CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to execute a custom RAT capable of at least taking screen shots, executing new processes, and collecting local system information. The campaign is referred to as “Vicious Panda”. Snapshots of threat actor infrastructure shows “Last Modified” timestamps of January 22 2020; indicating that activity began near the end of January or Early February 2020.
Mustang Panda (thought to be North China-based) targeting Think Tanks and NGOs that are largely US-based with less customized, more commoditized RATs such as Poison IVY and PlugX RATs. Activity started “late February” 2020.
APT 36 (thought to be Pakistan-based) targeted India starting March 12 2020 via Crimson RAT. Its earlier functions included logging keystrokes, capturing audio, and taking screenshots from infected systems.
Ocean Lotus (thought to be Vietnam based) targeting China via custom Trojan “Denis” aimed at providing remote access, starting February 19 2020.
TA542 (thought to be Russia based) operating mass spam attacks featuring Emotet variants. EclecticIQ analysts detected mass Emotet infections matching TTPs described in the report, and using COVID-19 themed lures starting days after the PHEIC declaration by the WHO.
TA505 (thought to be Russia based) targeting a broad victim base with multiple, less customized, malware-families designed for financial gain.
Bitter (thought to be Southeast Asia-based) targeting China via custom RAT
Hades targeting Ukraine with a RAT capable of (among other things) collecting local system and user information, taking screenshots, and logging keystrokes.
Patchwork (thought to be India-based) targeted China with a custom backdoor in “early February” 2020. EclecticIQ analysts found evidence of submissions from Japan using the same reported C2 address on February 13 via VirusTotal. This would suggest that the activity attributed to Patchwork and specific to China, may have been less targeted in nature.
Updates to Previous Reports
In the report from the week of March 30 2020, EclecticIQ analysts briefly detailed aspects of China’s global aid initiatives and possible ulterior motives. Newer reporting released since, has demonstrated how some of the aid was of such poor quality, that it increased risks for the recipients. “600,000 poor quality masks were recalled by the Netherlands” and testing kits in Czech Republic that were only 30% effective, included only some of the issues. Time highlights Europe, which has received Chinese aid, as the current hotbed for geopolitical influence from China. China appears to be manipulating divisive issues in Europe in attempts to reshape its image by distorting media. The article also highlights how European leaders have exploited the divisiveness over China for local political agendas.
Security Affairs provided an article that describes part of the evolution of Dark Market exploitation of pandemic supplies. The report shows how threat actors selling supplies under questionable ethics, adapted their market rapidly to changes in the pandemic. Based on the reporting, it is likely that threat actors were able to scale-up operations in ways that impacted the global supply chain of pandemic-related medical supplies. As a result of this increased activity, governments have begun to crack down on major offenders.