Welcome back to the Arctic Wolf COVID-19 Threat Roundup.
The Thread Roundup series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period.
This news is designed to help you and your team defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Each month, we will summarize key cybersecurity news, organized by major themes.
Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
You can read previous roundups on our COVID-19 blog feed, highlighted with the red threat roundup banner.
1. Vaccine Research Attacked
Russian cyberattacks hit research institutions
Attack summary: US, UK, and Canadian security officials issued a joint statement that the Russian hacking group APT29 has been targeting institutions involved in vaccine research, including the use of spearphishing and custom malware techniques.
Organizations involved in vaccine research should reassess security posture in light of the risk of attack by nation-state threat actors
Vulnerability and risk management tools can help mitigate known risks exploited by advanced attackers
Managed detection solutions can help identify systems and account compromise advanced attackers, potentially before they are able to exfiltrate intellectual property
UCSF pays $1M in ransom attack
Attack summary: Servers at UCSF’s School of Medicine were compromised by Netwalker ransomware. The institution, which provides medical care and is active in COVID-19 vaccine research, paid $1.14 million for its files to be decrypted.
- Ransomware is typically deployed through phishing, known software vulnerabilities, or remote access misconfigurations
- Update email and endpoint security with the most recent ransomware IOCs
- Deploy vulnerability management solutions to prioritize and patch known vulnerabilities
- Evaluate managed detection and response solutions to detect ransomware before it can encrypt key data.
2. COVID Phishing Update: Fake Benefits, Microsoft Defenses
Attackers impersonate US CARES Act relief
Attack summary: This phishing campaign exploits themes related to the US CARES relief act. Attackers impersonate the “US Department of Revenue” (an inaccurate name for the US tax authority), inform targets of the tax provisions of the CARES act, and encourage users to fill out the attached secure document. Targets who click on the “document” are taken to a fake login page that steals Microsoft credentials.
- Warn employees about the risk of Microsoft credential theft and phishing campaigns impersonating relief agencies
- Update mail security to block known IOCs
- Deploy detection and response solutions to identify account compromise events
Phishing impersonates UK tax agency
Attack summary: In this campaign, attackers impersonate Her Majesty’s Revenue and Customs (in this case, using the correct name for the government agency). The email offers grants to UK taxpayers who have lost jobs owing to COVID-19. The link takes targets to a realistic-seeming page that attempts to collect personally identifiable information, including tax and insurance ID numbers.
- Warn employees about the threat of phishing campaigns that attempt to directly collect PII
- Ensure mail security is connected to current threat intelligence and can block known IOCs
- Consider detection and response solutions to identify connections to suspicious webpages
Fake Brazilian government aid
Attack summary: In response to the COVID-19 pandemic, the Brazillian government is issuing “coronavouchers”, monthly financial assistance for informal and low-income workers and entrepreneurs. Cybercriminals have engaged in a number of campaigns around this theme, using SMS, WhatsApp, and email to distribute webpages that spoof government portals and collect PII.
- Warn employees about the risk of phishing campaigns exploiting email, text, or messenger channels
- Use detection and response solutions to identify connections to suspicious, data-scraping webpages
Indian police warn of phishing campaigns
Attack summary: Haryana police issued a warning of COVID-19-related phishing scams, where cybercriminals impersonate agencies offering COVID testing, treatment, or reimbursement. Attackers are exploiting spoofed emails imitating official government sources.
- Warn employees about the risk of COVID-19 phishing impersonating official agencies, and encourage them to contact such agencies directly
- Use email security tools to block or identify suspicious emails
- Detection and response tools can recognize connections to suspicious sites and compromise of account information
Microsoft takes down phishing pages
Attack summary: In this campaign, attackers used domains similar to official Microsoft URLs to compromise business accounts. The campaign exploited COVID-19 themes to persuade targets to give an app access to their Microsoft accounts. These compromised accounts were then used to arrange for money to be wired to the attackers. Microsoft obtained a court order allowing it to seize the malicious domains, neutralizing this particular attack campaign.
- Warn employees about the risk of malicious app access to SaaS accounts
- Use detection and response tools to identify suspicious email activity, to detect BEC attacks before they can extract company funds
3. Miscellaneous COVID Attacks
Twitter attack collects bitcoin
Attack summary: In this high-profile attack, hackers used social engineering to acquire Twitter employee credentials, then used these credentials as a backdoor to access high-profile Twitter accounts. These accounts then broadcast a COVID-19 themed scam message, encouraging targets to send in bitcoin for the promise of more bitcoin. Twitter security temporarily restricted access for all verified accounts to contain this attack.
- Warn employees about the risk of cryptocurrency solicitations
- Re-evaluate internal employee access policies to reduce the risk of compromised accounts or credentials
- Consider detection and response tools to identify account compromises from advanced attackers
FBI warns K-12 schools of ransomware
Attack summary: The FBI is warning K-12 schools of an increase in ransomware attacks exploiting remote desktop protocol (RDP). The FBI anticipates greater targeting of schools, which have limited in-house network defense and are transitioning to remote learning during the COVID pandemic.
- Schools and other suddenly remote organizations should evaluate security operations providers to help address their cybersecurity staffing gaps
- Consider risk management solutions to identify misconfigurations that can expose networks and systems to attack
- Evaluate managed detection and response solutions to identify ransomware attacks before they can encrypt or exfiltrate data.
Google Alert fake data breach scam spreads malware
Attack summary: In this attack, fraudsters have seeded Google Alerts with false data breach announcements for major brands. The Google Alerts news monitoring service then distributes the malicious sites to a wide range of targets. If targets click on the Google Alerts link, they are repeatedly redirected until they reached a page that attempted to deploy malicious extensions or malware.
- Train users about the risk of suspicious links distributed through legitimate services
- Use endpoint and antivirus tools to detect and block malware
- Define business policies restricting suspicious plugins and extensions
- Use detection and response solutions to identify connections to suspicious websites