EclecticIQ
October 12, 2020

Pandemic Intel week 42: Ransomware Disrupts Clinical Trial Software Supply Chain in The US

EclecticIQ Pandemic Intelligence Update week 42

Key Findings
  • Ransomware may have impacted COVID-19 vaccine research progress in the US.
  • Advanced attacks using employee benefit lures target organizations and individuals.
Analysis

Ransomware Disrupts Clinical Trial Software Supply Chain in The US.

eResearchTechnology was victim to a Ryuk ransomware variant beginning September 20, that affected software used in many clinical trials. The attack is reported to have slowed progress in some clinical trials over the past two weeks. Healthcare entities impacted include some participating in COVID-19 vaccine research. The attack was allegedly not successful in stealing data from eResearchTechnology or any clinical trial sites, due to effective incident response during the exploitation phase of the initial kill-chain, post compromise. 

 

Individuals and Organizations Are at Increasing Risk of Attacks Using Employee Benefit Lures.

The OceanLotus APT group, with alleged links to Vietnam, used generalized employee benefit informational email attachments to phish victims in the Southeast Asia region. The attacks are notable because the attackers inject data into Windows Error Reporting, enabling them to obfuscate further malicious actions with high effect. The lure content and design is not highly tailored, indicating the campaign is likely opportunistic in nature. The lure is applicable against a wide audience in the region.

Cybercriminals are targeting employee relief efforts in Canada to harvest banking credentials and personal information. The attacks use lures spoofing the CERB (Canada Emergency Response Benefit) and are well-detailed. The emails redirect users to interactive landing pages where their banking credentials and other personal information is harvested.

Another attack orchestrated by unidentified threat actors used email lures from the IRS (Internal Revenue Service) with a malicious attached document about COVID-19 relief funds. The campaign leveraged a compromised SharePoint account and server to increase the legitimacy of the spoofed emails and bypass security warnings. The SharePoint form asks for email credentials, Social Security numbers, driver license numbers, and tax ID numbers. The attention to SharePoint resources likely indicates that the attack was aimed at larger organizations or enterprise.

The examples above all include TTPs of relatively high-sophistication in at least one Kill-Chain phase. APT groups as well as more common cybercriminals are hooking into opportunities from pandemic-driven economic uncertainty to increase the effectiveness of specific lures to attack both individuals and organizations for personal info, proprietary info, and unauthorized access to internal networks. Economic uncertainty and remote work created via the pandemic are likely key drivers for these and similar attacks.

 

As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis. This is the 30th report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.