Covid-19 Threat Intelligence Blog

EclecticIQ Pandemic Intelligence Update - Week 18

April 28, 2020

EIQ_corona_FC_CTI_report_blogimage18As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.

This is the sixth report in a weekly series of updates to inform of important developments to COVID-19-themed attacks. 

Key Findings 
  • Ransomware remains a top threat to healthcare. The US has issued further alerts specific to CVE-2019-11510, previously used to install ransomware, 
    and in consideration of earlier ransomware against University Hospital Brno, in the Czech Republic. 
  • Trend Micro reports Gamaredon, an allegedly Russia-linked threat actor operating since 2013, has targeted European countries with COVID-19 themed attacks. 
  • The initial wave of COVID-19 themed attacks may be opening virtual doors for further attacks that leverage unauthorized remote access. 
  • Misinformation attacks are diversifying, but remain most prominent in the US. 
  • COVID-19 tracking technology releases may become exploitable attack vectors for threat actors. 
Analysis 

Ransomware Continues to be the Current Greatest Risk to Healthcare 

Risk to healthcare highlighted last week continues this week as the United States State Department, in an unusual move, issued a public high-profile alert from the Secretary of StateAn updated alert was concurrently issued by the US-CERT, describing a critical arbitrary file disclosure vulnerability in Pulse Connect Secure VPN Servers (CVE-2019-11510)The alert is partly the result of earlier activity against a hospital in the Czech Republic as well as more recent threats to US hospitals. Hospitals cannot afford any downtime of their networks. These continued alerts attempt to serve as deterrence, by effectively putting ransomware syndicate groups on notice; Their activities will be a priority for justice. 

New COVID-19 Related APT Activity 

Trend Micro published a report detailing the Gamaredon APT group (thought to be Russia-affiliated) using Covid-19 themed lures to attack victims in the European region (among others). EclecticIQ Analysts have fused the report into STIX (Structured Threat Intelligence) using the EclecticIQ Platform in the image below (image 1).

 Gamaredon attacks displayed in EclecticIQ Platform

Image 1: Gamaredon attacks displayed in EclecticIQ Platform

The attacks leveraged template injection - a method that enables better spoofing for phishing pages, which is the same TTP pattern highlighted from all the APT groups discussed in a recent Malwarebytes report.

A STIX analysis, based on the image attached, highlights the newer Gamaredon attack uses a new obfuscated macro in the delivery phase, but reuses TTPs in other phases of the attack that Gamaredon has been observed using before. This knowledge enables organizations to more easily fingerprint Gamaredon activity and adopt a security posture at the highest level of the pyramid of pain-based on TTPs.

COVID-19 Lures Targeting the Wuhan Government and the Chinese Ministry of Emergency Management 

On April 22, FireEye reported about phishing attempts that targeted the Wuhan Government and the Chinese Ministry of Emergency Management. 

The campaign began at least January 6, and FireEye attributes it to APT32, a suspected Vietnamese APT. Open source reporting shows that China alerted the WHO to several cases of unusual pneumonia in Wuhan on December 31 last year. The targeting and the timing demonstrate that threat actors were quickly focusing their efforts collecting intelligence regarding a virus which, at that time was still unknown. As highlighted in previous reports, analysts are very confident that COVID-19 espionage against governments and research organization will continue in the foreseeable future. 

State Sponsored Aid Packages for COVID-19 Are Targeted in Parallel to Mass Spam Attacks

Many States are proposing and launching aid packages for their nationals. Aid packages have already been exploited in the United States in phishing attacks shortly after the package was announced. Earlier this week the German Government aid package was also exploited with phishing . The attackers set up a more elaborate spoof. They faked the aid domain, emailed German citizens with spearphishing, and social engineered them to visit the spoofed site. They then harvested victims’ personally identifiable information and used it to claim real aid on the real government URL. Loses are estimated to be many millions in Euro. 

Further evidence of mass backdoor and info stealing attacks 

A prominent and steady pattern throughout the pandemic has been that the majority of COVID-19 themed attacks are aimed at establishing remote access to an internal trusted networkTrickbot currently leads mass-spam type infections exploiting COVID-19 themes. In our initial investigation into early phishing attacks, we found most attacks featuring Emotet. These are both relatively advanced and well-developed Remote Access Trojans (RATs) featured prominently in phishing and contain significant obfuscation in both the Delivery and Command and Control phases. These payloads provide a gateway for further malware. The largest risk from the additional payload is ransomware and info-stealers. These risks are very significant now, given the rise highlighted last week to the healthcare sector. 

A report this week of a Maze ransomware attack against Cognizant serves a paramount example of the potential impacts from the initial waves of mass spam attacks observed planting backdoors and RATs. It is highly suspected that the ransomware infection was the direct result of access previously brokered on the Dark Web, from an earlier attack against Cognizant by a separate threat actor. It appears a COVID-19 theme was absent in the ransomware attack. The report states access was first advertised April 11 2020 via the Dark Web. Many other companies face similar risk because the initial activity spread wide and globally. 

At the extreme end of COVID-19 info-stealing attacksEclecticIQ analysts observe recent mass attacks featuring malware that is much closer to “spyware” in terms of capabilities and invasiveness. The more advanced malware used in the mass attacks described above demonstrates better designed and more capable malware is infiltrating threat actor groups responsible for the highest volumes of attacks. This attack represents an escalation from attacks using remote access trojans (RATs) because spyware is typically much more invasive in terms of what it can capture. 

Misinformation Continues to Escalate as Attacks Occupy Many Forms 

Earlier this week in the Netherlands, attackers sent out spoofed SMS messages pretending to be official and directing people to purchase COVID-19 related medical supplies on an external website. The Dutch authority was quick to issue counter alerts via multiple separate channels and the scam is not believed to have been widely effective. 

COVID-19 misinformation is traveling via physical channels which serve to reinforce ideas circulated electronically. In Australia, threat actors distributed physical pamphlets in a spam-type attack that flamed existing conspiracy theories regarding COVID-19. Those conspiracies began online.  Physical demonstrations amplify misinformation and capture wider attention. 

Unknown activists have posted nearly 25,000 email addresses and passwords allegedly belonging to the National Institutes of Health, the World Health Organization, the Gates Foundation and other groups working to combat the coronavirus pandemic”. Although the credentials posted online were from previous data dumps of compromised credentials (some compromised over five years ago) and not newly compromised accounts, the recycled credential dump was immediately weaponized by right-wing social media groups in the US. These types of activities serve to further flame existing conspiracy theories that promote political divides ahead of the 2020 election. 

A recent report shows that international misinformation against US citizens began early, just as the pandemic started to hit the country hard. The report states Chinese officials  spread discord over SMS messages by claiming the country was about to enter a lock-down. The US is shaping up to be central to attacks using disinformation operations that exploit the pandemic environment. 

Rising Risks to Mobile Apps and Opportunity to Exploit Mass Populations 

Pandemic lockdowns began with Italy on March 11 2020. As the pandemic stretches out, many nations have signaled a need for a tracking technology. Many different apps will be developed to fit the unique requirements of different nations, technology, and manufacturers. The tracking technology must work on a mobile device and that necessitates the development of an app. Having many apps will greatly expand the attack surface for threat actors via fake-app delivery TTPs. It is highly likely that attacks will shift to mobile app TTPs, largely featuring fake apps.  Individuals everywhere should be sure to retrieve such apps only from official app stores to reduce the risk of malware.