As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.
This is the eighth report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.
The US and UK issue a joint alert to APT attacks against the “international COVID-19 responses”.
Threat actors exploit cloud environments with similar patterns of attack activity.
General COVID-19 themed attacks continue to recycle elements in high-volume providing a good use case for threat intelligence.
COVID-19 propaganda and disinformation efforts currently center on China and the United States.
The US and UK Issued aJointWarning toHealthcare This Week.
The alert specifies “ongoing activity by APT groups against organisations involved in both national and international COVID-19 responses.” The CISA alert highlights password spraying detection in related attacks; threat actors “spray” a limited set of previously compromised passwords against possible account usernames until a username matching the password is identified.This TTP (Techniques, Tactics, and Procedures) can be more difficult to detect than typical brute-forcing because it generates less volume and alerting since the attack isn’t causing multiple failed password attempts against the same username, but achieves the same goal of unauthorized access.The notice includes a list of further mitigation resources.
Thejoint warning comes on the heels of our keyfinding highlighted in last week’s report that “APTs present a growing threat to strategic information related to COVID-19 treatments and vaccines”.EclecticIQ analysts expect this activity to escalate further. Economic pressures will grow as the pandemic and lockdowns extend. This will provide incentives for State to State data-stealing attacks over strategic COVID-19 medicines information.
Germany’s Healthcare Provider Falls Victim to Ransomware
Earlier this week Palo Alto released a report detailing COVID-19-themed threats to cloud infrastructure. The results use newly registered DNS names matching COVID-19 string variations in titles or names. The report shows that threat actors have exploited the AWS platform the most (70% of all detections), followed by Google (25% of all detections). The United States has the highest number of malicious domains at 29,007, followed by Italy at 2,877.
COVID-19 Threats to cloud environments follow similar patterns tothreats over traditional infrastructure; threat actors flock to the high-volumeenvironments where they are more likely to find victims with exploitable systems due to weak configurations.AWS has had the highest adoption as a Cloud platform since at least 2016.
Cloud environments provide advantages to threat actor command and control (C2). Threat actors use multiple IP mappings to route traffic through a shared domain or CDN (Content Delivery Network). They can also reconfigure new C2 more easily. This helps prevent blacklisting, bypass security filters, and obfuscate their C2.Cloud-based attacks show how threat actors are agile and are able to adapt to situations that change rapidly, includingIT Security responses during the pandemic. Cloud security should be addressed to the same levels as the rest of an organization’s infrastructure.
Attacks Using Recycled Components Remain High-Volume.
Another recent report highlights how threat actors pattern their attacks during a prolonged opportunity such as the pandemic.Non-APT actors will often reuse TTPs, infrastructure, and themes as time goes on. Strategic and operational threat intelligence is very effective at mitigating these types of attacks.Threat intelligence allows organizations to build up an organized repository of attack information where analysis can be used to highlight these patterns and discover mitigations that are effective against many attacks at once.
In another example of high-volume attacks, analysts observe attacks against the remote workforce remain popular.One of the most popular delivery vectors currently remains asfake Zoom apps that download remote access trojans. Zoom continues to be exploited because of its current popularity.
A more accurate COVID-19 attack-volume report was released. The new study, like older studies presented in our earlier weekly reports, looks at title and name strings related to ‘COVID-19’. Instead of scraping all DNS registries, the ICANN study looks at DNS zone files. Zone files, practically and authoritatively, function as lists of active DNS entries. This collection methodology ensures fewer false-positives like parked domains.The results from the study brings total new malicious DNS servers to about 12% of total names active and likely participating in attacks since the start of the pandemic. This is a much more reasonable and realistic than other numbers we have observed above 20%.
Threat intelligence adds considerable value in defense of these attack patterns. Analysts can build up a repository of known attacks across their company and industry vertical.TTPs can be analysed quickly to find common elements in new attacks, and graphs can be used to visualize entire attack patterns over different phases of the Kill-Chain. This allows organizations to adapt defenses more quickly, and provides a clear route to future mitigation and risk reduction based on established courses of action.
The graphic below shows structured threat intelligence focusing on ransomware attacks that have occurred across our weekly updates.A TTP-level analysis quickly highlights how ransomware families are rapidly adopting new exfiltration TTPs to incentivize ransom payments.
The ability to quickly curate and group relevant intelligence around these TTPs provides defense teams with the actionable relevant information to defend against these threats, along with important context to the attack pattern so that they can quickly and effectively work to mitigate the risk.
TTP links across ransomware families used in pandemic, as displayed in EclecticIQ Platform.
Current Patterns Signal Attacks Shifting toTarget Counterfeit COVID-19 RelatedGoods for Financial Gain.
Europol has alerted to cybercriminal activity shifting focus to pandemic-related counterfeit goods scams. The activity is supported by illicit trade on the dark market of said goods. Europol indicates the scams may be escalating to organized-crime levels.These attacks are likely to come in spearphishing emails soliciting orders or as fake listings on ‘safe’ medical supply sites. EclecticIQ analystspreviously observed BEC-style attacks on medical supplies highlighted in our Week 16 report that were also well organized. Since then, Singapore has declared a large-scale, major disruption to a counterfeit goods ring operating in its region.These attacks will remain effective as countries and individuals compete to secure resources during the pandemic.
Theransomware family used was “Nefilim”,which has a tentative relationship to the “Nemty” family.This ransomware has not made an appearance recently, but earlier analysis states that Nefilim has had the Ransomware-as-a-Service module removed, making its execution and targeting more deliberate than other infections automated by bots like Emotet.An earlier ransom note claims the payload has data exfiltration capabilities like other prominent families, Maze and Sodinokibi.
COVID-19 Tracking Technologies Expose Private High-Risk Information That Could be Used in a Range of FurtherAttacks.
Reports show that developing tracking technologies are already leaking data upon initial release.Malicious attacks will amplify any existing information exposure due to poor configuration.India’s largest cell network Jio, developed COVID-19 symptom checking software accessible via mobile.Its databases were found to be leaking data that allowed researchers to geolocate users. Millions of logs and records were exposed starting April 17, 2020. The issue had been reported remediated at the time of writing.
Current Sources of Disinformation Include China and Online Conservative Groups.
BBC’s researchers and a British think tank, Institute of Strategic Dialogue, found thata limited set ofideologically-linked groups were reportedly responsible for “many thousands of links directing users to fringe political and health websites.” The findings have implications for political signalling in public discourse. Specifically, leaders who do not publicly disavow support of activities that result from false information online may, perhaps unwittingly help stoke propaganda designed to take advantage of messaging from a unified conservative-leaning base.
Additionally, the Chinese government has tried to influence its global image and effectiveness in handling the pandemic. Bellingcat provides a visual representation and analysis of a botnet with links to China and Russia, which was used effectively to amplify false information on Twitter and Facebook in order to, according to Bellingcat, “skew the narrative around varying topics, and to push set agendas.” Disinformation from the botnet has reportedlyencompassedHong Kong protests, cryptocurrency, and COVID-19.
The United States is also participating in misleading and unclear statements through the US President, who may bestokingconfusion around the virus origins.When misinformation is initiated or subtlety supported by leaders, it’s easier for political discourse to exploit “data voids” or missing pieces of information, to build their own agendas. These data voids can be rapidly amplified further by members of associated political groups or State-run cyberattack operations on social media platforms.One agenda could serve to damage, or repair, China’s global image;or anothercould be apublic relations effort toboost local sentiment regarding pandemic response measures.