COVID-19 Weekly Threat Roundup: May 22

May 22, 2020

Welcome back to the latest edition of the Arctic Wolf COVID-19 Weekly Threat Roundup.  

This news is designed to help you and your team defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we'll summarize key cybersecurity news for the week, organized by major themes.

In each item we’ll include a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.  

You can read previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.  

1. Institutional Attacks Target Governments, Hospitals, Supercomputers 

Scattered Canary Defrauds IRS, States 

Attack summary: A known threat group, Scattered Canary, is using an existing database of PII and network of mules to file fraudulent state unemployment insurance claims, as well as claims under the CARES act for financial relief.  


  • State and local governments processing unemployment, and financial institutions processing loans and other aid, should enhance their fraud detection processes 
  • Train employees about the risks of revealing PII in phishing attacks; it may be used by attackers over an extended period 
  • Scattered Canary has built its criminal empire primarily through Business Email Compromise (BEC) attacks; use mail security and detection and response solutions to protect against BEC 

Sources: and

Hacktivists Target Brazilian Government 

Attack summary: Brazilian hacktivist groups are engaged in a coordinated and ongoing attack against the Brazilian government and health ministries, focusing on attempting to breach, release, and publicize government data.  


  • Organizations that may be targeted by hacktivist groups—including any organization involved in COVID-19 response—should perform internal audits for sensitive data and establish clear policies to restrict access 
  • Review existing vulnerabilities and risks and institute a patching and update cadence 
  • Detection and response solutions are a powerful line of defense against persistent, dedicated attackers 


Romanian Hospital Ransomware thwarted 

Attack summary: According to the Romanian Directorate for Investigating Organized Crime and Terrorism, PentaGuard attackers planned to use a phishing campaign spoofing government information about COVID-19 to introduce Locky or BadRabbit ransomware strains to hospital systems. Four individuals have been arrested in connection with this plan.   


  • Update mail security with the latest threat intelligence to identify and block malicious attachments 
  • Train employees about how to identify emails spoofing official sources, and how to identify likely malicious attachments 
  • Use detection and response solutions to identify and contain ransomware attacks before they can encrypt sensitive data. 

Sources: and 

Academic Supercomputers Attacked 

Attack summary: The UK National Supercomputing Service, ARCHER, announced that some of its user accounts may have been misused to gain unauthorized access to the service. It disabled access more generally to secure the service while investigation was ongoing. Statements suggest that other European supercomputers may also have been targets. Attackers are presumed to be targeting COVID-19 research activities.  


  • All institutions with COVID-19 related activities should adjust their security posture in light of the elevated risk of account compromise attacks 
  • Use account takeover risk solutions to identify compromised credentials that may be used in account takeover attacks 
  • Use detection and response solutions to alert on impossible logins, or other suspicious behavior that may indicate account compromises 


Fresenius Attack Update: Patient Data Leaks.  

Attack summary: In our May 8 roundup, we reported on a ransomware attack against Fresenius, the largest private hospital operator in Europe. Attackers have now released some patient data and threatened a larger release if the ransom is not paid.  


Hash: e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60 


  • Ransomware is typically delivered via phishing email, RDP misconfiguration, or known software vulnerability 
  • Update and maintain mail security and employee training to mitigate phishing risk 
  • Use a risk management solution to identify, prioritize and address vulnerabilities and misconfigurations 
  • Add detection and response to alert on ransomware deployment in real time, to prevent attackers from executing the attack and extracting data to hold hostage 


2. COVID-19 Phishing Updates 

Phishing Email Spoofs Microsoft Teams Notification 

Attack summary: Remote work associated with the COVID-19 pandemic has led to a spike in usage of collaboration tools, including Microsoft Teams. In this attack, a phishing email impersonates a legitimate Teams message notification. The link redirects to a phishing page, which collects the target’s credentials; it then directs to the actual Microsoft Office page to conceal the attack.  


Network IOCs

  • hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20 
  • hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/ 


  • 104[.]118[.]190[.]227 


  • Update mail security with newest threat intel to identify, block phishing emails 
  • Use detection and response tools to alert on suspicious connections to phishing domains, credential compromise 


Malicious Excel Macros Abuse Legitimate Remote Access Tool 

Attack summary: In this campaign, attackers impersonate the JHU COVID-19 daily update. The emails include an attached Excel file purporting to provide coronavirus case statistics. If the target authorizes macros as requested, the malicious sheet downloads NetSupport Manager. NetSupport is a legitimate remote access tool, but it is frequently exploited by attackers as a remote access trojan.  



  • 1ff9615577cc6cd702d847672a34260a72ba5a71f4b7dd5ebfd844d4835c68a7 
  • 6b00e4c85ab9c2a0a724fc77177d5b55ff4369e5be068605a29fffe7173919f9 


  • Train employees about the risks of malicious sheets, and especially the risks of allowing macros 
  • Update mail and endpoint security with the latest threat intel to detect malicious attachments 
  • Use detection and response solutions to identify systems compromised with remote access malware, or connections to C2 servers 

Sources: MsftSecIntel,, 

COVID Drives Increased Retail Phishing 

Attack summary: Throughout the COVID-19 pandemic, there has been an incredible explosion of COVID-related phishing campaigns. These campaigns have included themes around COVID information, government aid programs, remote work, and more. Researchers at Recorded Future have highlighted another area of elevated phishing: online retail, driven by the increased use of delivery shopping during stay-at-home orders. Online retail phishing campaigns typically spike in December (the holiday season) and decline thereafter. This year, campaigns in April exceeded the December 2019 spike, an 83% increase over the same time last year.  


  • Alert employees of the risk of retail phishing campaigns 
  • Use mail security to detect these campaigns when they target employees’ work emails 
  • Use detection and response solutions to identify phished credentials, downloaded malware, or account compromises 


Phishing Attacks Increasingly Rely on Social Engineering 

Attack summary: COVID-19 phishing campaigns have delivered a wide range of payloads—fake sign-in pages, malware and maldocs, and more. Researchers at Symantec report that an increasing fraction of phishing campaigns now deliver no malicious links or attachments at all. Instead, campaigns are more likely to use purely text-based, social engineering attacks, including fake business propositions or, fake donation offers or requests.  


  • Train employees about the risk of social engineering attacks and provide guidance on best practices on engaging with inbound emails 
  • Use mail security tools to control spam and flag suspicious emails, even when they do not contain malicious links or attachments 

Source: symantec

3.Additional COVID-Related Attacks 

Android infostealer exploits COVID label 

Attack summary: this malicious application targets Android mobile users. It is labeled “COVID” and is presumably disseminated by pretending to offer COVID information. However, the app offers no actual functionality to the user. It simply extracts personal information, including contacts, calls, messages and device info, and transmits it to a C2 server.  



  • 2d84a8bbd77aee8432742dc28eef2da3 
  • 4271184bc33ee9672fe4713f14e43bd6 
  • 51a4472a506795e386906541c3483080 
  • a81c5c3da9d41069af9ab00780dbe09e 


  • Warn employees about the risk of third-party mobile applications 
  • Establish clear policies regarding what applications can be downloaded or used on work devices 
  • Use endpoint and detection and response tools to identify and block malware on employee mobile devices 


Home Chef Data Breach Exposes 8 Million User Records 

Attack summary: Home Chef is a US meal kit and food delivery service. After media reports regarding the sale of a large collection of user records on the dark web, Home Chef announced that it had been breached, exposing information including email, encrypted passwords, PII, and last four digits of the social security number.  


  • Establish strong password and MFA policies to prevent stolen credentials from being used to breach workplace accounts 
  • Account takeover risk solutions can help warn of the risk of business account compromise by previously breached credentials 




Previous Article
Lessons in Legal Cybersecurity: Grubman Shire Meiselas & Sacks and the Lady Gaga Data Leak
Lessons in Legal Cybersecurity: Grubman Shire Meiselas & Sacks and the Lady Gaga Data Leak

The attack against Grubman Shire Meiselas & Sacks illustrates what can happen when cybercriminals set their...

Next Article
Lessons Learned From COVID-Related Cyberattacks
Lessons Learned From COVID-Related Cyberattacks


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!