Welcome to back to the Arctic Wolf COVID-19 Weekly Threat Roundup.
This series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period.
This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we will summarize key cybersecurity news for the week, organized by major themes.
In each item we’ll include a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
You can read last week’s roundup here
, and our first roundup here
Let’s get started.
1. Video Teleconferencing Account Takeovers
Zoom Credentials for Sale
Attack summary: In a credential-stuffing attack, attackers use previously breached credentials (username and password pairs) to attempt to login to another service. Attackers regularly attempt this attack with existing databases of breached credentials and newly popular services, and the latest target is Zoom.
News reports indicate that over 500,000 compromised credentials verified as valid for Zoom are now available for purchase or free download on the dark web. These credentials could be used for zoombombing, to breach information available on a Zoom account. Any credentials known to be valid may be exploited for further account takeover attacks on additional services or systems.
- Set a robust password policy for employees, including password management tools, unique passwords for separate services, and password updates in the event of a breach.
- Use single sign-on (SSO) services with multi-factor authentication to access third-party services.
- Where possible, control information that would be exposed in a Zoom account compromise, by restricting meeting names, verifying meeting participants, etc.
Cisco Webex Credential Theft
Attack summary: Though Zoom is the highest profile, many different video teleconferencing (VTC) platforms have come under attack. This phishing campaign targets Cisco Webex credentials.
The attackers use a spoofed email which prompts users to download a new version of Webex to fix a supposed security flaw. The email links to a malicious site impersonating the legitimate Webex login page. After it collects the login information, it passes the target along to the actual Webex download, leading the target to believe they have performed a necessary security update.
- Spoofed originating email: meetings[@]webex[.]com
- Malicious site: hxxps://globalpagee-prod-webex[.]com/signin
- Malicious site IP: 192[.]185[.]214[.]109
- Educate employees about the risk of phishing emails impersonating security alerts and update requests.
- Establish a clear process for legitimate security updates and encourage employees to contact IT about any other software updates suggested by external sources.
- Ensure that mail security tools are up to date with the latest threat intelligence.
- Use detection and response solutions to identify attempted malware downloads or executions, or account compromises.
2. COVID Phishing
Remote Overlay Banking Trojan Spreads
Attack summary: Grandoreiro is a remote overlay malware strain. This type of malware, common in Latin America, can be delivered through spam, phishing, or malicious attachments. It remains dormant on the target system until the user navigates to a hard-coded list of targeted services, often banking services.
Once this occurs, the attacker is notified and can commandeer the device remotely in real time. This control is typically used to display full-screen overlay images designed to resemble the service in question, to extract credentials, and collect additional information on the target required to complete a money transfer.
Though Grandoreiro originated in Brazil it was recently deployed in Spain; and a recent campaign used COVID-19 themed videos to trick users into running a concealed executable.
- Ensure that endpoint security tools are up to date with the most recent threat intelligence and indicators of compromise.
- Maintain robust network security to detect command-and-control activity.
- Train employees about the risk of malicious downloads and other spam.
Government and Healthcare PPE Advance Fee and Social Engineering Attacks:
Attack summary: As a result of the pandemic, many organizations, especially state and local governments and healthcare providers, are attempting to purchase personal protective equipment (PPE) from any available suppliers.
The FBI reports that malicious actors have exploited this need, targeting PPE purchasers with advance fee schemes and spoofed business emails. In multiple incidents, purchasers have wired payments either to fraudulent vendors, or malicious actors impersonating known vendors.
- Any organization purchasing PPE or any other pandemic-related supplies or products should be aware of the heightened risks of scams.
- Organizations (and employees) should initiate all contact with sellers.
- Organizations should verify all payment information, especially any last-minute payment changes, through verified contact methods.
- Where possible, trusted third parties should verify that the products exist and are available for purchase, or funds should be placed in escrow.
White House Phishing:
Attack summary: Throughout the COVID-19 pandemic, malicious actors have exploited the public’s need for information and guidance by impersonating public institutions. In this case, attackers impersonated the White House, distributing an email supposedly offering official coronavirus guidance. The email linked to a false site that was an exact copy of the official White House site; however, the downloaded document instead contained malware.
- Remind employees to use common sense when reviewing COVID-19 themed emails, including checking for spelling and grammar errors and other indications that an email may be faked.
- Encourage employees to navigate independently to official sites and sources, even when linked within an email.
- Update mail security to block active phishing campaigns as they are identified.
- Deploy detection and response solutions to identify compromised systems.
Attack summary: The COVID-19 relief bill, the “CARES Act,” allocated $376 billion in relief funding through the Small Business Administration (SBA). This funding is available in the form of forgivable loans to small businesses. Malicious actors are impersonating the SBA in email campaigns highlighting this program.
- Remind employees (including leaders) that they will not typically receive inbound emails from government agencies such as the SBA offering funds.
- Encourage your organization to clearly designate a team responsible for COVID-19 relief activities, and ensure that the team is briefed on the risks of phishing and other scam campaigns.
- Always initiate contact with outside organizations through known contact methods.
3. Institutional Attacks
Ransomware attack on Canadian institutions
Attack summary: In another example of high-profile medical institutions targeted by cyberattacks, a Canadian government healthcare organization and medical research university were targeted with ransomware. The attackers used a spoofed email pretending to be from the WHO, containing a malicious RTF lure. Once opened, the lure attempted to deliver a ransomware payload via a known Microsoft vulnerability.
- Spoofed address: noreply@who[.]int
- Actual sender IP: 176.223.133[.]91
- Command and control domain: www.tempinfo.96[.]lt
- Malicious attachment filename: 20200323-sitrep-63-covid-19.doc
- Malicious attachment hash: 62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617
- Organizations with any connection to the evolving COVID-19 pandemic response should re-evaluate their security posture in light of the heightened threat environment
- Maintain a vulnerability management, benchmarking, and patching cadence to prevent compromise via known vulnerabilities or common misconfigurations
- Train employees about the risk of phishing campaigns that impersonate entities with a legitimate reason to communicate with your organization
NGOs report an increased volume of cyberattacks:
Attack summary: Aid organizations, including Mercy Corps and the International Federation of Red Cross and Red Crescent Societies, report an increased volume of cyberattacks against their remote teams, including phishing and smishing attacks.
- Maintain a robust remote work security posture, including cloud, mail, and endpoint security.
- Attackers may attempt to compromise major charity user accounts in order to exploit them for further attacks. Follow threat intelligence about any such attacks, and let employees know about the possibility of phishing attacks using legitimate, compromised accounts at major institutions.
4. Mobile Attacks
Questionable government mobile apps:
Attack summary: In order to contain the COVID-19 pandemic, a number of governments have released mobile apps to facilitate information, health guidance, and contact tracing. More such apps may be developed and released in the future. Some of these apps have been insecure; others, such as the Iranian government’s official app, may have been spoofed by attackers, since they were made available by direct download via unsecured sites.
CoronaApp, targeting Iranian users:
- 7b9bb74afee6ad86d14d6e9b12421a745915ccbc5a09b399415afe5ecc7bcdc9 coronaapp2.apk
- 6c94071da2c2510698ed9ce6bd2877f00930014a075f776cbfe4b23623d7aa6d coronaapp3.apk
- 49fb82b0f9802290c7fb1c93b59649d30b8baf6e73c102f0ce1e226147ae4c51 coronagame.apk
- Use endpoint security solutions with up-to-date threat intelligence to detect and block potential malware.
- Inform employees about the risk of apps impersonating legitimate government apps; or of data leakage through legitimate apps with security vulnerabilities.
Watering hole app attacks:
Attack summary: In this attack, targeting iOS users in Hong Kong, malicious actors posted links supposedly to news stories on web forums. The news stories dealt with a number of themes, among them COVID-19. The links do lead to legitimate news sites, but also use a hidden iframe to execute malicious code. The compromise is then used to download a new iOS malware variant.
- Users should keep devices, including mobile devices, updated.
- Train employees on appropriate use of devices also used for remote work.
- Endpoint and detection and response security can help identify compromised systems.