Covid-19 Threat Intelligence Blog

EclecticIQ Pandemic Intelligence Update - Week 20

May 12, 2020

EIQ_corona_FC_CTI_report_blogimage20

As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.

This is the eighth report in a weekly series of updates to inform of important developments to COVID-19-themed attacks. 

Key Findings 
  • The US and UK issue a joint alert to APT attacks against the “international COVID-19 responses”. 
  • Threat actors exploit cloud environments with similar patterns of attack activity. 
  • General COVID-19 themed attacks continue to recycle elements in high-volume providing a good use case for threat intelligence. 
  • COVID-19 propaganda and disinformation efforts currently center on China and the United States. 
Analysis 

The US and UK Issued a Joint Warning to Healthcare This Week 

The alert specifies “ongoing activity by APT groups against organisations involved in both national and international COVID-19 responses. The CISA alert highlights password spraying detection in related attacksthreat actors “spray” a limited set of previously compromised passwords against possible account usernames until a username matching the password is identified. This TTP (Techniques, Tactics, and Procedures) can be more difficult to detect than typical brute-forcing because it generates less volume and alerting since the attack isn’t causing multiple failed password attempts against the same username, but achieves the same goal of unauthorized access. The notice includes a list of further mitigation resources. 

The joint warning comes on the heels of our key finding highlighted in last week’s report that “APTs present a growing threat to strategic information related to COVID-19 treatments and vaccines”. EclecticIQ analysts expect this activity to escalate further. Economic pressures will grow as the pandemic and lockdowns extend. This will provide incentives for State to State data-stealing attacks over strategic COVID-19 medicines information. 

Germany’s Healthcare Provider Falls Victim to Ransomware 

The Fresenius Group operates a large distributed medical network based in Germany. Its infrastructure was hit with a SNAKE ransomware variant. Based on previous analysis, Snake variants exfiltrate data prior to encryption and is aggressive in targeting as much of the network as possible. The infection was activated sometime on or before May 5, 2020. Krebs on Security quotes a source that stated the ransomware “had affected every part of the company’s operations around the globe”. Further details will become available as investigations proceed. 

COVID-19 Threats to Cloud Environments 

Earlier this week Palo Alto released a report detailing COVID-19-themed threats to cloud infrastructure. The results use newly registered DNS names matching COVID-19 string variations in titles or names. The report shows that threat actors have exploited the AWS platform the most (70% of all detections), followed by Google (25% of all detections). The United States has the highest number of malicious domains at 29,007, followed by Italy at 2,877. 

COVID-19 Threats to cloud environments follow similar patterns to threats over traditional infrastructure; threat actors flock to the high-volume environments where they are more likely to find victims with exploitable systems due to weak configurations. AWS has had the highest adoption as a Cloud platform since at least 2016. 

Cloud environments provide advantages to threat actor command and control (C2). Threat actors use multiple IP mappings to route traffic through a shared domain or CDN (Content Delivery Network). They can also reconfigure new C2 more easily. This helps prevent blacklisting, bypass security filters, and obfuscate their C2. Cloud-based attacks show how threat actors are agile and are able to adapt to situations that change rapidly, including IT Security responses during the pandemic. Cloud security should be addressed to the same levels as the rest of an organization’s infrastructure.  

Attacks Using Recycled Components Remain High-Volume. 

Another recent report highlights how threat actors pattern their attacks during a prolonged opportunity such as the pandemic. Non-APT actors will often reuse TTPs, infrastructure, and themes as time goes on. Strategic and operational threat intelligence is very effective at mitigating these types of attacks. Threat intelligence allows organizations to build up an organized repository of attack information where analysis can be used to highlight these patterns and discover mitigations that are effective against many attacks at once.  

In another example of high-volume attacksanalysts observe attacks against the remote workforce remain popular. One of the most popular delivery vectors currently remains as fake Zoom apps that download remote access trojans. Zoom continues to be exploited because of its current popularity. 

A more accurate COVID-19 attack-volume report was released. The new study, like older studies presented in our earlier weekly reports, looks at title and name strings related to ‘COVID-19’. Instead of scraping all DNS registries, the ICANN study looks at DNS zone files. Zone files, practically and authoritatively, function as lists of active DNS entries. This collection methodology ensures fewer false-positives like parked domains. The results from the study brings total new malicious DNS servers to about 12% of total names active and likely participating in attacks since the start of the pandemic. This is a much more reasonable and realistic than other numbers we have observed above 20%. 

Threat intelligence adds considerable value in defense of these attack patterns. Analysts can build up a repository of known attacks across their company and industry vertical. TTPs can be analysed quickly to find common elements in new attacks, and graphs can be used to visualize entire attack patterns over different phases of the Kill-Chain. This allows organizations to adapt defenses more quickly, and provides a clear route to future mitigation and risk reduction based on established courses of action. 

The graphic below shows structured threat intelligence focusing on ransomware attacks that have occurred across our weekly updates. A TTP-level analysis quickly highlights how ransomware families are rapidly adopting new exfiltration TTPs to incentivize ransom payments.

The ability to quickly curate and group relevant intelligence around these TTPs provides defense teams with the actionable relevant information to defend against these threats, along with important context to the attack pattern so that they can quickly and effectively work to mitigate the risk.  TTP links across ransomware families used in pandemic, as displayed in EclecticIQ Platform.

TTP links across ransomware families used in pandemic, as displayed in EclecticIQ Platform. 

Current Patterns Signal Attacks Shifting to Target Counterfeit COVID-19 Related Goods for Financial Gain. 

Europol has alerted to cybercriminal activity shifting focus to pandemic-related counterfeit goods scamsThe activity is supported by illicit trade on the dark market of said goods. Europol indicates the scams may be escalating to organized-crime levels. These attacks are likely to come in spearphishing emails soliciting orders or as fake listings on ‘safe’ medical supply sites. 
 
EclecticIQ analysts previously observed BEC-style attacks on medical supplies highlighted in our Week 16 report that were also well organized. Since then, Singapore has declared a large-scale, major disruption to a counterfeit goods ring operating in its region. These attacks will remain effective as countries and individuals compete to secure resources during the pandemic. 

Attacks related to COVID-19 products can escalate to affect larger supply chains. This week, an Australian shipping and freight firm suffered a ransomware attack for the second time. It is unclear at this time, to what affect the payload may have had on operations, but the firm is a high-volume regional supplier for many goods 

The ransomware family used was “Nefilim”, which has a tentative relationship to the “Nemty” family. This ransomware has not made an appearance recently, but earlier analysis states that Nefilim has had the Ransomware-as-a-Service module removed, making its execution and targeting more deliberate than other infections automated by bots like Emotet. An earlier ransom note claims the payload has data exfiltration capabilities like other prominent families, Maze and Sodinokibi. 

COVID-19 Tracking Technologies Expose Private High-Risk Information That Could be Used in a Range of Further Attacks.  

Reports show that developing tracking technologies are already leaking data upon initial release. Malicious attacks will amplify any existing information exposure due to poor configuration. India’s largest cell network Jio, developed COVID-19 symptom checking software accessible via mobile. Its databases were found to be leaking data that allowed researchers to geolocate usersMillions of logs and records were exposed starting April 17, 2020. The issue had been reported remediated at the time of writing. 

Current Sources of Disinformation Include China and Online Conservative Groups. 

BBC’s researchers and a British think tank, Institute of Strategic Dialogue, found that a limited set of ideologically-linked groups were reportedly responsible for “many thousands of links directing users to fringe political and health websites.” The findings have implications for political signalling in public discourse. Specifically, leaders who do not publicly disavow support of activities that result from false information online mayperhaps unwittingly help stoke propaganda designed to take advantage of messaging from a unified conservative-leaning base. 

Additionally, the Chinese government has tried to influence its global image and effectiveness in handling the pandemicBellingcat provides a visual representation and analysis of a botnet with links to China and Russia, which was used effectively to amplify false information on Twitter and Facebook in order to, according to Bellingcat, “skew the narrative around varying topics, and to push set agendas.” Disinformation from the botnet has reportedly encompassed Hong Kong protests, cryptocurrency, and COVID-19. 

The United States is also participating in misleading and unclear statements through the US President, who may be stoking confusion around the virus origins. When misinformation is initiated or subtlety supported by leaders, its easier for political discourse to exploit “data voids” or missing pieces of information, to build their own agendas. These data voids can be rapidly amplified further by members of associated political groups or State-run cyberattack operations on social media platforms. One agenda could serve to damage, or repair, China’s global image; or another could be a public relations effort to boost local sentiment regarding pandemic response measures.