- Threat actors adapt attacks to new infrastructure. Work restrictions during the pandemic created new weak infrastructure links for threat actors to exploit.
- Healthcare attacks demonstrate bold new capabilities. Malware-as-a-Service markets are increasing threat actor capabilities. Major attacks affected healthcare resources and may have impacted human life.
- Malware-as-a-Service solidified over the pandemic. Remote access trojans, backdoors, and ransomware featured prominently in COVID-19 themed attacks. Malware operations are increasingly specialized and traded.
- Threat actors rapidly adapted to shifting opportunities presented by the pandemic.
Threat actors closely followed new opportunities presented by uncertainty created through the pandemic. Many high-volume attacks evolved in parallel to current events.
- Misinformation provided a catalyst for high-volume attacks. Misinformation on social media is increasing and very likely enabled more high-volume attacks that leveraged inaccurate info
and info-seeking behavior to perform social engineering.
- Mobile threats during the pandemic.
Risk changed in response to new technology and working environments created through the pandemic. COVID tracking apps provide a new attack surface and carry common concerns regarding privacy, data stewardship, and poor software development practices.
This summary analysis concludes the EclecticIQ COVID-19 initiative providing focused weekly updates on developing threats. Our analysts will continue to monitor important developments and publish findings though our threat intelligence platform.
Threat Actors Adapt Attacks to New Infrastructure.
Ransomware attacks on healthcare organizations remained a constant threat during the pandemic. The highest potential impact for ransomware attacks occurred in March and April; when infection rates were rising in many global regions and healthcare resources experienced some of the greatest strain. Ransomware infections remained steady, but have been gaining again since September 2020.
TTPS Established Across Ransomware Families During the Pandemic.
Ransomware operations have evolved important changes that increase the effectiveness of their attack patterns.
• RaaS (Ransomware-as-a-Service) is well established, allowing more threat actors to participate in attacks using highly effective malware families.
• Exfiltration modules allow threat actors to steal data before encrypting systems. This provides operators with more bargaining power during extortion.
• Big game hunting is the practice of compromising high-value targets and dwelling inside the target network, post-compromise, for an extended period in order to pivot to as many systems as possible. Operators perform 'hands-on' lateral movement and pivoting inside the network prior to infection, in order to encrypt a maximum number of machines. Attackers verify the victim has a high net-worth or is involved in important operations. Victims are more able and willing to pay for recovery. Larger organizations are increasingly targeted and effects from ransomware have a larger impact because the business impacts other organizations downstream in their relative supply chains (hospitals, industrial plants, public services). Attacks on managed service providers (MSP) creates a direct risk to clients. Ransomware can and has spread via dedicated, privileged MSP channels.
Most Malware-As-A-Service (MaaS) activity is delivered with phishing. Rapid new development of current-event phishing lures helped to drive successful MaaS operations. Phishing provides threat actors with access to privileged environments which they can then sell to other threat actors who carry out further attacks. This behavior creates a dark market incentive for, and enables, further cyberattacks from buying and selling access.
Brute force attacks were the most common attack pattern specifically against expanded remote service systems to support remote workers, such as VPNs and Remote Desktop Protocol (RDP).
Another significant portion of attacks aimed at establishing backdoors or using Remote Access Tools (RATs). This segregation of threat actor operations encourages threat actors to establish niches of different specializations and to combine TTPs (Tactics, Techniques, and Procedures), which supports more rapid TTP development, and leads to more attacks.
One effect of the diversifying pattern of threat actor behavior is complete malware supply chains are available for rent. A relatively inexperienced actor can now buy access (Infrastructure as a Service) and a final payload (Malware as a Service) that allow them to participate in successful attacks. This further participation feeds back into and reinforces the MaaS/IaaS cycle.
Disinformation And Misinformation.
EclecticIQ analysts observed credible and fake-credible sources participating in the active spread of disinformation, comprising common cybercriminals, APT groups, and official sources including politicians. Systems of disinformation benefit social engineering TTPs and increase effectiveness of cyberattacks.
The most common and high-volume attacks include threat actors who exploit general confusion over a commodity or resource that relates to current events, such as a medical testing resource. Threat actors spoof web infrastructure of a particular medical test organization and direct victims to the bad resource via phishing or watering-hole type attacks that leverage some degree of social engineering. These attacks mostly affect individuals and their personal financial assets.
More sophisticated common threat actors use disinformation to exploit data from individuals and organizations, and seek Personally Identifiable Information (PII), proprietary research, or prolonged illicit system access. These types of attacks are more coordinated. They do not bring immediate consequence to the entities affected, but drive significant further risk to future cyberattacks.
Escalated threats disrupt or destroy technology systems. The best example of these attacks includes ransomware attacks. Threat actors have spoofed mobile apps of government-endorsed COVID-19 tracking software to direct victims to ransomware that destroys their mobile device and disrupts the collection of important COVID-19 data used to direct response policy. These attacks may disrupt entire information systems or data supply chains.
The most impactful threat actors include State-linked actors and APT groups that introduce disinformation for covert information operations or geopolitically driven interests. Vaccine disinformation provides a good example where State interests may be used to further political agendas. These attacks are the most subtle and affect the most victims. Threat groups disseminate disinformation to broad audiences in a more covert manner who easily become complicit in its spread. Attacks in this group are highly complex; continually building on each other over greater time. Operations use multiple channels in multiple stages to be highly effective.
Remote Operation Introduced Significant Risk to Mobile Devices.
Mobile malware primarily targeted Android. Malware was delivered through phishing that led to trojanized apps targeting android users. Malicious apps hosted on non-official infrastructure is, and continues to be, the most popular delivery vector for mobile phones. It is more difficult to run unauthorized code on a mobile device and trojanized mobile applications remain a convenient method for overcoming this.
COVID tracking apps are now available in almost every country introduce a new opportunity. Collectively they represent an extensive new attack surface for cybercriminals and State-backed threat actors.
Interested in how we conduct our research on the matter? There will be a whitepaper published about our research methodology shortly.
As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis. This is the 32nd and final report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.