newspaper-fold Covid-19 Threat Intelligence Blog

Pandemic Intel week 43: Threat Actors Target Remote Employees with COVID-19 Conspiracy

October 19, 2020

EclecticIQ Pandemic Intelligence Week 43

Key Findings
  • Canada, India, and the United States are affected by larger volumes of initial access attacks relative to global distribution.
  • The education sector faces rising attacks from initial-access sellers.
  • Higher education institutions are at medium risk of APT attacks aimed at stealing research.
  • High risk of DDoS impact to organizations increasingly reliant on E-commerce and remote infrastructure.
  • Misinformation and conspiracy around high-profile COVID-19 events are highly effective in phishing attacks.

Canada, India, and the United States Face Greater Relative Volumes Globally of Initial-Access Attacks and Implicate Further Cyberattack Risk.

The Initial Access market (selling persistent remote access to compromised networks), is well established and exploding. Kela has measured a tripling over the past month. Approximately half of all measured activity targets Canada, India, and the United States. The increased activity is partly due to an increase in exploitation of vulnerabilities disclosed starting Summer, 2019 and specific to network security appliances at the network perimeter, including VPNs, network gateways, and VNC. These vulnerabilities are public-facing and are exploited in steadily increasing volume. The report only looks at open hacking forums, and actual activity volumes are certain to be much higher. 


Education Institutions Are at High-Risk of Attacks That Establish Initial Access For Further Attacks.

Threats to education are affected by the growth of the initial access market. Many recent ransomware attacks have been aided by initial access sellers. This evidence corroborates the growing collaboration of cybercriminal specialty groups abetted by dark web sites where ideas and attacks are exchanged. This attack specialization and collaboration enables more cyberattacks because multiple groups increasingly provide each other with different phases of the attack kill-chain. Threat actors need only to complete a single attack phase before they can monetize it on the dark web.

Education Institutions Are at Medium Risk of APT Attacks to Steal Research.

An APT group allegedly tied to Iran is operating spearphishing attacks directed at higher education organizations across the globe since the start of the 2020 school year. The APT operations are possibly in response to continued sanctions against Iran. Current sanctions make it more difficult to participate in sharing of research and the attacks aimed at stealing research data is a method to stay current on technologic developments that align with national interests. Current operations spoof domains of western universities. The APT group is likely using the attacks to retrieve access credentials to the internal networks of higher education systems so that they can launch further malware and steal research data.

Threat from DDoS Brings High-Risk to all Organizations Increasingly Dependent on Online Infrastructure.

As companies increase E-commerce business and remote employee activity due to the pandemic, the risk and impact from DDoS attacks significantly increases. One or more threat actor groups have been rapidly increasing DDoS operations, affecting many organizations globally. The actor(s) extort victims with the threat of denial of service and prevent any further communication as to disable negotiation.

Threat Actors Target COVID-19 Misinformation and Conspiracy to Craft More Effective High-Volume Spam Creating High-Risk to Remote Employees.

High-volume attacks are using phishing lures tied to conspiracy and misinformation to increase the effectiveness of new attacks. The attacks push commodity malware BazoLoader, a loader that serves further malware. It is common for loader malware to be used with credential stealing modules for obtaining initial access to networks, which can then be sold on dark web marketplaces. Remote employees are at high-risk to these attacks because of less or weakened security controls. If the malware is able to phish the employee, threat actors can gain credentials that allow them into the internal network of the victim’s organization.


As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis. This is the 31st report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.

3 more posts you might like