Welcome back to the latest edition of the Arctic Wolf COVID-19 Weekly Threat Roundup.
This news is designed to help you and your team defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we'll summarize key cybersecurity news for the week, organized by major themes.
In each item we’ll include a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
You can read previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.
1. Institutional Attacks Target Governments, Hospitals, Supercomputers
Scattered Canary Defrauds IRS, States
Attack summary: A known threat group, Scattered Canary, is using an existing database of PII and network of mules to file fraudulent state unemployment insurance claims, as well as claims under the CARES act for financial relief.
- State and local governments processing unemployment, and financial institutions processing loans and other aid, should enhance their fraud detection processes
- Train employees about the risks of revealing PII in phishing attacks; it may be used by attackers over an extended period
- Scattered Canary has built its criminal empire primarily through Business Email Compromise (BEC) attacks; use mail security and detection and response solutions to protect against BEC
Hacktivists Target Brazilian Government
Attack summary: Brazilian hacktivist groups are engaged in a coordinated and ongoing attack against the Brazilian government and health ministries, focusing on attempting to breach, release, and publicize government data.
- Organizations that may be targeted by hacktivist groups—including any organization involved in COVID-19 response—should perform internal audits for sensitive data and establish clear policies to restrict access
- Review existing vulnerabilities and risks and institute a patching and update cadence
- Detection and response solutions are a powerful line of defense against persistent, dedicated attackers
Romanian Hospital Ransomware thwarted
Attack summary: According to the Romanian Directorate for Investigating Organized Crime and Terrorism, PentaGuard attackers planned to use a phishing campaign spoofing government information about COVID-19 to introduce Locky or BadRabbit ransomware strains to hospital systems. Four individuals have been arrested in connection with this plan.
- Update mail security with the latest threat intelligence to identify and block malicious attachments
- Train employees about how to identify emails spoofing official sources, and how to identify likely malicious attachments
- Use detection and response solutions to identify and contain ransomware attacks before they can encrypt sensitive data.
Academic Supercomputers Attacked
Attack summary: The UK National Supercomputing Service, ARCHER, announced that some of its user accounts may have been misused to gain unauthorized access to the service. It disabled access more generally to secure the service while investigation was ongoing. Statements suggest that other European supercomputers may also have been targets. Attackers are presumed to be targeting COVID-19 research activities.
- All institutions with COVID-19 related activities should adjust their security posture in light of the elevated risk of account compromise attacks
- Use account takeover risk solutions to identify compromised credentials that may be used in account takeover attacks
- Use detection and response solutions to alert on impossible logins, or other suspicious behavior that may indicate account compromises
Fresenius Attack Update: Patient Data Leaks.
Attack summary: In our May 8 roundup, we reported on a ransomware attack against Fresenius, the largest private hospital operator in Europe. Attackers have now released some patient data and threatened a larger release if the ransom is not paid.
- Ransomware is typically delivered via phishing email, RDP misconfiguration, or known software vulnerability
- Update and maintain mail security and employee training to mitigate phishing risk
- Use a risk management solution to identify, prioritize and address vulnerabilities and misconfigurations
- Add detection and response to alert on ransomware deployment in real time, to prevent attackers from executing the attack and extracting data to hold hostage
2. COVID-19 Phishing Updates
Phishing Email Spoofs Microsoft Teams Notification
Attack summary: Remote work associated with the COVID-19 pandemic has led to a spike in usage of collaboration tools, including Microsoft Teams. In this attack, a phishing email impersonates a legitimate Teams message notification. The link redirects to a phishing page, which collects the target’s credentials; it then directs to the actual Microsoft Office page to conceal the attack.
- Update mail security with newest threat intel to identify, block phishing emails
- Use detection and response tools to alert on suspicious connections to phishing domains, credential compromise
Malicious Excel Macros Abuse Legitimate Remote Access Tool
Attack summary: In this campaign, attackers impersonate the JHU COVID-19 daily update. The emails include an attached Excel file purporting to provide coronavirus case statistics. If the target authorizes macros as requested, the malicious sheet downloads NetSupport Manager. NetSupport is a legitimate remote access tool, but it is frequently exploited by attackers as a remote access trojan.
- Train employees about the risks of malicious sheets, and especially the risks of allowing macros
- Update mail and endpoint security with the latest threat intel to detect malicious attachments
- Use detection and response solutions to identify systems compromised with remote access malware, or connections to C2 servers
COVID Drives Increased Retail Phishing
Attack summary: Throughout the COVID-19 pandemic, there has been an incredible explosion of COVID-related phishing campaigns. These campaigns have included themes around COVID information, government aid programs, remote work, and more. Researchers at Recorded Future have highlighted another area of elevated phishing: online retail, driven by the increased use of delivery shopping during stay-at-home orders. Online retail phishing campaigns typically spike in December (the holiday season) and decline thereafter. This year, campaigns in April exceeded the December 2019 spike, an 83% increase over the same time last year.
- Alert employees of the risk of retail phishing campaigns
- Use mail security to detect these campaigns when they target employees’ work emails
- Use detection and response solutions to identify phished credentials, downloaded malware, or account compromises
Phishing Attacks Increasingly Rely on Social Engineering
Attack summary: COVID-19 phishing campaigns have delivered a wide range of payloads—fake sign-in pages, malware and maldocs, and more. Researchers at Symantec report that an increasing fraction of phishing campaigns now deliver no malicious links or attachments at all. Instead, campaigns are more likely to use purely text-based, social engineering attacks, including fake business propositions or, fake donation offers or requests.
- Train employees about the risk of social engineering attacks and provide guidance on best practices on engaging with inbound emails
- Use mail security tools to control spam and flag suspicious emails, even when they do not contain malicious links or attachments
3.Additional COVID-Related Attacks
Android infostealer exploits COVID label
Attack summary: this malicious application targets Android mobile users. It is labeled “COVID” and is presumably disseminated by pretending to offer COVID information. However, the app offers no actual functionality to the user. It simply extracts personal information, including contacts, calls, messages and device info, and transmits it to a C2 server.
- Warn employees about the risk of third-party mobile applications
- Establish clear policies regarding what applications can be downloaded or used on work devices
- Use endpoint and detection and response tools to identify and block malware on employee mobile devices
Home Chef Data Breach Exposes 8 Million User Records
Attack summary: Home Chef is a US meal kit and food delivery service. After media reports regarding the sale of a large collection of user records on the dark web, Home Chef announced that it had been breached, exposing information including email, encrypted passwords, PII, and last four digits of the social security number.
- Establish strong password and MFA policies to prevent stolen credentials from being used to breach workplace accounts
- Account takeover risk solutions can help warn of the risk of business account compromise by previously breached credentials