EclecticIQ
August 24, 2020

EclecticIQ Pandemic Intelligence Update - Week 35

EclecticIQ covid-19 Pandemic Threat Intelligence week 35

 

Key Findings
  • Poor management of healthcare data sharing infrastructure drives further cyberattacks.
  • Medical supply fraud escalates risk to physical harm.
  • Remote workers in non-essential industries face the highest risk from ongoing cyberattacks.
  • Government services with increased funding tied to COVID-19 relief continue to represent attractive targets.
  • Malware-as-a-service operations show a pattern of targeting more specific audiences.
  • Future misinformation campaigns are very likely to focus on vaccine developments with the goal of fraudulent website redirection.
Analysis

Changes to Healthcare Data Sharing Infrastructure is Very Likely Driving Risk to Attacks on Medical Data.

The creation of ad-hoc, on demand facilities, and new reporting policies across the healthcare industries and between new entities have resulted in more data exposure and produced more vulnerable systems.

A surge in infrastructure demand to meet the pandemic and share increased data has resulted in the creation of new infrastructure that lacks security controls. High risk to healthcare attacks will continue while security of expanded healthcare infrastructure management is lacking

 

Risk From Medical Supply Fraud Escalates to The Highest Level Since The Start of The Pandemic.

Medical supply fraud creates risk of physical harm if the materials used are not controlled. Fraudulent alcohol-based sanitizer has been found to contain dangerous prohibited chemicals that create a threat to life.

Medical supply fraud attacks fund terrorist organizations. Groups aligned with Daesh (ISIS) were responsible for running scam sites directing victims to fraudulent personal protective equipment. The money from victims directly funds the people promoting violent ideology in the Middle East, creating further conflict. The United States Department of Justice alerted to specific scam sites recently.

 

Remote Workers in Non-Essential Industries Face The Highest Risk From Ongoing Cyberattacks.

Remote workers are at risk of cyberattacks from voice phishing. Attacks-for-hire target remote workers pretending to be IT support needing to check VPN functionality. The threat actors leverage remote work environments to boost social engineering efficacy. It is likely that these phishing TTPs are driven by the success of phishing in the recent attack against Twitter. The attacks use Social Engineering to expose employee credentials. Non-essential industries include Real-Estate and Retail, among others.

 

Organizations extending remote work opportunities face a greater risk of cyberattacks against remote access tools and software. Industries, such as Healthcare, Financials, and Information Technology, deemed “essential” during the pandemic have lower risk relative to non-essential industries. The driving risk-factor is that ‘essential industries’ have developed superior security posture and adopted more thorough security practices as they transitioned to expanded work-from-home environments; thus greatly reducing risk.

 

A study by Malwarebytes found 20% of organizations experienced a data breach after their transition to work-from-home environments as a result of lockdowns.

Organizations increased their work-from-home infrastructure to enable remote work without extending security best-practices. Most organizations did not have adequate visibility into the extended network traffic to monitor for security events.

 

Government Services Tied to COVID-19 Relief Continue to Face High-Risk of Cyberattacks.

The Canadian Revenue Agency had to suspend access to online services as a result of a credential stuffing attack. The suspension of online services affected anyone attempting to file for benefits and likely delayed receipt of benefits for a portion of the population. Attacks on benefit programs are attractive targets because they contain growing financial assets. Government portals set up for access to such assets possibly represent a smaller attack surface that is easier for threat actors to exploit.

 

Malware Tailored to Target More Specific Regions Will Present the Greatest Risk from Malware-as-a-Service Operations.

Emotet has been redesigned to target US organizations with new COVID-19 lures. The emails make use of generic-type email templates with attachments using vague numerical titles. It is highly likely that these attacks are designed to take advantage of the ongoing decentralized pandemic response in the US.

 

Earlier in 2020 Emotet malware saw several redesigns, with each new iteration targeting users in multiple countries. Until August 6, 2020, recent versions of Emotet were vulnerable to EmoCrash, a specific powershell exploit script developed by Team Cymru and other security professionals that prevented payloads from running. EclecticIQ Analysts observe new malware being developed to use COVID-19 lures and tailored to target more specific audiences compared to earlier during lockdowns. As the pandemic drags on, global focus on current events is being replaced by increased interest in more localized current events.

Threat actors are taking advantage of this by attacking more localized, State-level regions, rather than applying attacks to a global audience.

 

Misinformation Campaigns Are Very Likely to Follow Vaccine Development With The Goal of Directing Victims to Fraudulent Websites.

The recent vaccine technology developed in Russia is seeing a slurry of related bad information circulate in social media platforms online.

 

Generic and geopolitical Misinformation focused on the announcement began quickly circulating via multiple social media platforms. The activity comprised a notable volume over a short period of time with no clear immediate link to organized operations. The spread of bad information creates confusion and causes more people to fall for scam sites that leverage the spread of the same misleading information. Threat actors and victims of future misinformation campaigns are very likely to align with and parallel current geopolitical conflicts.

 

As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis. This is the 23rd report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.