Key Findings
- Threat Actors Adapt Attacks to New Infrastructure.
- Ransomware Threat to Healthcare.
- TTPS Established Across Ransomware Families During the Pandemic.
- Malware-as-a-Service.
- Disinformation and Misinformation.
- Remote Operation Introduced Significant Risk to Mobile Devices.
Executive Summary
On 11th March, the World Health Organization declared COVID-19 a pandemic. By that time threat actors were already spawning infrastructure to support COVID-19 themed attacks. Over the next 44 weeks, EclecticIQ analysts closely followed threat actor activities to observe:
Work restrictions during the pandemic created new weak infrastructure links for threat actors to exploit.
- Healthcare attacks demonstrate bold new capabilities.
Malware-as-a-Service markets are increasing threat actor capabilities. Major attacks affected healthcare resources and may have impacted human life.
- Malware-as-a-Service solidified over the pandemic.
Remote access trojans, backdoors, and ransomware featured prominently in COVID-19 themed attacks. Malware operations are increasingly specialized and traded.
- Threat actors rapidly adapted to shifting opportunities presented by the pandemic.
- Misinformation provided a catalyst for high-volume attacks.
Misinformation on social media is increasing and very likely enabled more high-volume attacks that leveraged inaccurate info
This summary analysis concludes the EclecticIQ COVID-19 initiative providing focused weekly updates on developing threats. Our analysts will continue to monitor important developments and publish findings though our threat intelligence platform.
Threat Actors Adapt Attacks to New Infrastructure.
During the pandemic, the remote work force increased, and resources were stretched. Many companies expanded VPN offerings and public-facing applications to meet resource needs. Support infrastructure during lockdowns are at higher-risk of attack because remote connections became central for business. One effect of this was a rise in RDP brute-force attacks and attacks on remote access connections including VPN vulnerability exploitation. A large volume of attacks comprised spearphishing individual employees with COVID-19-themed lures for initial access.
Ransomware Threat to Healthcare.
Ransomware attacks on healthcare organizations remained a constant threat during the pandemic. The highest potential impact for ransomware attacks occurred in March and April; when infection rates were rising in many global regions and healthcare resources experienced some of the greatest strain. Ransomware infections remained steady, but have been gaining again since September 2020.
TTPS Established Across Ransomware Families During the Pandemic.
Ransomware operations have evolved important changes that increase the effectiveness of their attack patterns.
• RaaS (Ransomware-as-a-Service) is well established, allowing more threat actors to participate in attacks using highly effective malware families.
• Exfiltration modules allow threat actors to steal data before encrypting systems. This provides operators with more bargaining power during extortion.
• Big game hunting is the practice of compromising high-value targets and dwelling inside the target network, post-compromise, for an extended period in order to pivot to as many systems as possible. Operators perform 'hands-on' lateral movement and pivoting inside the network prior to infection, in order to encrypt a maximum number of machines. Attackers verify the victim has a high net-worth or is involved in important operations. Victims are more able and willing to pay for recovery. Larger organizations are increasingly targeted and effects from ransomware have a larger impact because the business impacts other organizations downstream in their relative supply chains (hospitals, industrial plants, public services). Attacks on managed service providers (MSP) creates a direct risk to clients. Ransomware can and has spread via dedicated, privileged MSP channels.
• IaaS (Infrastructure-as-a-Service) allows ransomware syndicates to pair with developers of droppers. Dropper variants, typically operated by actors seeking to gain and sell initial access, attack networks to establish persistence until a future attack is called. This TTP combination allows ransomware operators to launch attacks with less effort.
• Credential leaks for the Pharmaceutical and Biotech industry are increasing and incentivizing further attacks. Medical records have increased in value on Dark Marketplaces over the past few years which likely incentivize attacks.
Malware-as-a-Service.
Strategic exploitation opportunities presented by the pandemic drive high-volume cyberattacks to establish and sell initial access. “While many attacks will be designed to affect the crisis near term, the most sophisticated attackers will take advantage of preoccupied organizations that have their guard down. They will plant malware inside a targeted company's infrastructure for later exploitation."
Most Malware-As-A-Service (MaaS) activity is delivered with phishing. Rapid new development of current-event phishing lures helped to drive successful MaaS operations. Phishing provides threat actors with access to privileged environments which they can then sell to other threat actors who carry out further attacks. This behavior creates a dark market incentive for, and enables, further cyberattacks from buying and selling access.
Brute force attacks were the most common attack pattern specifically against expanded remote service systems to support remote workers, such as VPNs and Remote Desktop Protocol (RDP).
Another significant portion of attacks aimed at establishing backdoors or using Remote Access Tools (RATs). This segregation of threat actor operations encourages threat actors to establish niches of different specializations and to combine TTPs (Tactics, Techniques, and Procedures), which supports more rapid TTP development, and leads to more attacks.
One effect of the diversifying pattern of threat actor behavior is complete malware supply chains are available for rent. A relatively inexperienced actor can now buy access (Infrastructure as a Service) and a final payload (Malware as a Service) that allow them to participate in successful attacks. This further participation feeds back into and reinforces the MaaS/IaaS cycle.
Disinformation And Misinformation.
EclecticIQ analysts observed credible and fake-credible sources participating in the active spread of disinformation, comprising common cybercriminals, APT groups, and official sources including politicians. Systems of disinformation benefit social engineering TTPs and increase effectiveness of cyberattacks.
The most common and high-volume attacks include threat actors who exploit general confusion over a commodity or resource that relates to current events, such as a medical testing resource. Threat actors spoof web infrastructure of a particular medical test organization and direct victims to the bad resource via phishing or watering-hole type attacks that leverage some degree of social engineering. These attacks mostly affect individuals and their personal financial assets.
More sophisticated common threat actors use disinformation to exploit data from individuals and organizations, and seek Personally Identifiable Information (PII), proprietary research, or prolonged illicit system access. These types of attacks are more coordinated. They do not bring immediate consequence to the entities affected, but drive significant further risk to future cyberattacks.
Escalated threats disrupt or destroy technology systems. The best example of these attacks includes ransomware attacks. Threat actors have spoofed mobile apps of government-endorsed COVID-19 tracking software to direct victims to ransomware that destroys their mobile device and disrupts the collection of important COVID-19 data used to direct response policy. These attacks may disrupt entire information systems or data supply chains.
The most impactful threat actors include State-linked actors and APT groups that introduce disinformation for covert information operations or geopolitically driven interests. Vaccine disinformation provides a good example where State interests may be used to further political agendas. These attacks are the most subtle and affect the most victims. Threat groups disseminate disinformation to broad audiences in a more covert manner who easily become complicit in its spread. Attacks in this group are highly complex; continually building on each other over greater time. Operations use multiple channels in multiple stages to be highly effective.
Remote Operation Introduced Significant Risk to Mobile Devices.
Changes in human behavior involved more isolated communication during pandemic lockdowns. Threat actors homed in on these opportunities by moving TTPs to mobile banking apps and COVID-19 tracking apps.
Overall, mobile attacks do not comprise a significant portion of COVID-19 themed threats. Checkpoint reports that since January 2020, mobile attacks represent 3% of all COVID-19 themed threats they detected.
Mobile malware primarily targeted Android. Malware was delivered through phishing that led to trojanized apps targeting android users. Malicious apps hosted on non-official infrastructure is, and continues to be, the most popular delivery vector for mobile phones. It is more difficult to run unauthorized code on a mobile device and trojanized mobile applications remain a convenient method for overcoming this.
COVID tracking apps are now available in almost every country introduce a new opportunity. Collectively they represent an extensive new attack surface for cybercriminals and State-backed threat actors.
Interested in how we conduct our research on the matter? There will be a whitepaper published about our research methodology shortly.
As Europe’s leading cyber threat intelligence company, we at EclecticIQ have decided to make use of our resources and provide the community with custom reports on threats connected to the COVID-19 pandemic throughout the duration of the crisis. This is the 32nd and final report in a weekly series of updates to inform of important developments to COVID-19-themed attacks.