EclecticIQ
June 23, 2020

EclecticIQ Pandemic Intelligence Update - Week 26

EIQ_corona_FC_CTI_report_blogimage26As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis.This is the 14th report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.

Key Findings
  • Risk to mobile apps remains high and related attack reporting is increasing.
  • Robocallers target US individuals with social engineering attacks to commit fraud.
  • Across the globe threat actor attack volume targeting a particular country correlates with National rates of infection.
  • Analysis The FBI has alerted to criminals targeting mobile banking apps.
Analysis

Attack Patterns Continue To Focus On COVID-19 Mobile Apps.

The FBI has alerted to criminals targeting mobile banking apps. Criminals will likely increase targeting individuals and their accounts because the pandemic is forcing more people to use banking apps to access accounts remotely. Threat intelligence highlights two TTP (Tactics, Techniques, and Procedures) patterns in use; banking trojans and fake banking apps. Banking trojans are malware that sometimes piggybacks on other downloads. The trojan activates when a victim next attempts to access their bank account. Fake banking apps are malicious apps masquerading as legitimate bank applications and present greater risk between the two. The banking app attacks represent an opportunity whereby threat actors are keying into less specific COVID-19 themes and instead are looking to exploit more general environments created by the pandemic. More traditional attack patterns, like bank trojans, paired with updated delivery phase TTPs continue to be effective for threat actors employing COVID-19 themed attacks.

Official tracking apps with poor configuration will magnify the effects of any attacks. Poor configuration will increase the attack surface of these apps via poor quality assurance and due diligence. Australia’s official app was recently found to perform poorly due to bad configuration. The federal Digital Transformation Agency (DTA) revealed that the official app was “listed as out of scope for its tests on both Android and iOS were security and penetration testing and load and stress testing.” Penetration testing is crucial for identifying security and configuration issues as recommended under the ISO 27001 standard. Penetration testing can effectively reduce the attack surface of an application and identify privacy issues prior to release.

Norway recently took steps to minimize the attack surface on its official COVID-19 app, suspending it after a risk-benefit analysis. No official weakness or vulnerability was described. Officials made the decision that general privacy exposure presented by data collection practices outweighed the benefit of using the app and potentially exposing citizen data. Private information that is leaked via official channels like government tracking apps are commonly used in further, more consequential attacks on the individuals. The decision by Norway will protect citizen data from compromise and further attacks. They are the only country to have made such a decision to reduce their attack surface.

United States: Robocalls Targeting Senior Citizens

Threat actors are unifying misinformation with traditional attack patterns to increase effectiveness of robocall TTPs. 91% of US individuals report perceiving an increase in such calls. Weaker cellular regulation in the US, relative globally, enables robocall TTPs. The attacks are aimed at financial gain via social engineering. Most of the calls express COVID-19 themes specific to treatments and exposure. Medical information manipulation is likely aiding attack efficacy and contributing to higher attack volume.

COVID-19 Attack Patterns Follow Country-Level Infection Rates

Country-level data released by Microsoft confirms and validates earlier global trends showing how threat actors and attack patterns closely follow regional changes during the course of the pandemic. The data illustrates how different countries compared with global peak attack volume that occurred approximately mid-March 2020. The UK and US both experienced national peaks at approximately the same time, while The Republic of Korea experienced its first peak earlier, approximately early March and then another mid-May after infections briefly increased. EclecticIQ analysts expect threat actor activity to increase significantly in any State that experiences a resurging infection rate in the future.