newspaper-fold Covid-19 Threat Intelligence Blog

EclecticIQ Pandemic Intelligence Update - Week 22

May 26, 2020

EIQ_corona_FC_CTI_report_blogimage22 (1)As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.

This is the tenth report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.

Key Findings 

  • Ransomware attacks on healthcare heavily reuse TTPs. Their loaders are gaining sophistication to enable the operators to encrypt a greater volume of assets.
  • New reported TTPs demonstrate a low degree of novelty.
  • Reporting of misinformation related to COVID-19 continues in the US.

Attacks Against Vaccine Participants

Threat actors attacked a supercomputer that was partly resourced for COVID-19 research. The attack resulted in a DoS (Denial of Service) condition that rendered the system unusable for vaccine development for an unknown period. No data was exfiltrated according to reporting. A greater presentation on supercomputer attacks, including further details on the specific attack above can be found here.

Ransomware Loaders Are the Largest Risk to Healthcare

Prolock ransomware poses the latest most serious security risk to the health care industry. The FBI has issued a recent alert. The alert highlights Qakbot malware as the loader responsible for delivery. Qakbot is a modular trojan with TTPs similar to Emotet, Trickbot, and related malware ‘loaders’. Loader payloads are an initial infection. They stage the victim system providing backdoors and remote access for further tool import and penetration by threat actors. Of the potential final payloads that can be installed by these loaders, ransomware carries highest risk. The Prolock variants are currently able to delete Volume.

Shadow Copies contained on the network. The malware was upgraded by the actors to function more effectively and is now designed to deploy only after prolonged dwell-time. After the initial Qakbot deployment, threat actors spread laterally and pivot across as much of the network as possible. They then deploy encryption via the ransomware payload all at once. Qakbot emerged in early 2018 as a full featured banking trojan. Since then it has shown strong development and re-tooling. It is now considered a top-tier, modular loader.

Concerned parties can monitor for the very first instance of a loader deployed into their network and quarantine the system until complete DFIR (Digital Forensics Incident Response) can be performed on the isolated system. Subsequent monitoring should escalate in the immediate aftermath to ensure the threat is contained.

A different ransomware syndicate that previously attacked a hospital in Romania has been brought down by law enforcement. The law enforcement operation could be follow-through intended to create a deterrence effect for ransomware.

New Pandemic TTPs

Reporting demonstrates COVID-19-themed TTPs continue evolving and threatening a wide array of different electronic systems. New developments in pandemic current events allow threat actors to continue to develop new attack patterns. The new TTPs represent a minor escalation up the Pyramid of Pain.

In our earlier report we predicted an acute rise in BEC (Business Email Compromise) scams targeting US COVID-19 benefits. A new BEC alert was issued by the US Secret Service recently regarding Scattered Canary, a Nigerian criminal organization, conducting fraud targeting COVID-19 related benefits. Some of their attack patterns involve setting up a spoofed website that mimics unemployment services in a specific state or at a specific company.

Benefits are issued differently in each US state. This expands the attack surface compared to a single national policy; More infrastructure is vulnerable to impersonation. People claiming benefits should be aware of official references to be sure they are connecting to legitimate infrastructure. States do not solicit citizens via email or phone to claim benefits. Any incoming unsolicited communications regarding benefits should be reviewed with high suspicion.

Australia has also reported a surge in attacks using BEC TTPs against health insurance with COVID-19 themes. The data from that report was collected by Palo Alto Networks. Widespread use of BEC TTPs during the pandemic is a testament to its effectiveness.  BEC TTPs are relatively easy to adapt and change to new current events. 

Android malware leveraging COVID-19 and taking advantage of sideloading techniques to avoid formal Google Play Store review. An app for Android is circulating unofficial app webpages labelled as “Covid”. The app uses a stolen, unrevoked certificate to help spoof its legitimacy. The malware in the app can spy on calls, SMS, and basic device information. The attack pattern in the report above relies on using a vague title designed to exploit information-seeking and lure victims. People are likely downloading the app out of curiosity or “choose to install apps that are not available in their region or any official store”. This attack demonstrates why it is important to download apps from official stores. Sideloaded apps are one of the most popular mobile malware delivery vectors. Collected data of the unrevoked certificate’s fingerprint shows it is currently associated with the same family of trojans all likely targeting Algerians, due to the use of an associated “DZ” domain artifact within collected packages. The certificate has been used in other malicious campaigns in the past. While this attack pattern is newly reported, EclecticIQ analysts note that it still reuses many TTPs such as sideloading and masquerading as a legitimate application.

Another report by Bitdefender details a variant of Android ransomware. The application package is titled “About Koronavirus”. The SLocker ransomware involved in the attack is a repackaged, older variant. The malware design is not particularly robust compared to higher-end families. The code contains several flaws that allow most users to bypass and remove it. The earliest of these repackaged payloads is dated to approximately Feb 21, 2020.

TTP reuse remains at high-volume and it remains effective with slight variations on similar COVID-19 themes. It is unclear, at this time, which type of attack is more successful when exploiting COVID-19 themes; novel TTPs or TTPs reused and recycled at massive scale.

BitDefender published a heat map backed by cumulative recent data that shows how threat actors have adapted and responded the worst hit locations of the pandemic. The map is consistent with our previous predictions of hotspots.

Patterns of Misinformation Spread and Escalate in The US

In an earlier weekly update, we noted 5G cellular infrastructure was being sabotaged across parts of Europe. Analysts now observe similar trends backed by the same conspiracy theories, now spreading in the US. The newer attacks are significant because they show how conspiracy theories fuelled on social media platforms can unite similar actions among disparate regional populations.

Political disinformation is spreading rapidly in the US as well. A study from Carnegie Mellon University has produced data showing that of all Twitter accounts “discussing coronavirus or COVID-19,” 62% of the top retweeting accounts were bots. The same source produced data that shows 34% of accounts discussing ‘reopening’ originated from highly-orchestrated bot accounts. The methodology behind this report has been questioned and the numbers presented are less certain, because it is difficult to measure large bot networks with a high degree of certainty. The TTPs described in the report are indicative of APT TTPs corroborated in past reports indicating social media platform exploitation. Bot-curated social media discussions are shaping public policy perception.

3 more posts you might like