Welcome back to the Arctic Wolf COVID-19 Weekly Threat Roundup.
This series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period. This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic.
Every Friday we will summarize key cybersecurity news for the week, organized by major themes. In each item we’ll include a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
You can read previous roundups on our COVID-19 resources feed, highlighted with the orange threat roundup banner.
1. Remote Work Attacks Continue
Phishing Campaign Impersonates Skype
Attack summary: Video teleconferencing platforms have emerged as a major site of attacks and theme of phishing campaigns. In this campaign, attackers imitated a legitimate alert from Skype regarding pending emails, including spoofing a credible Skype phone number and email address. The link leads to a fake login page on a .app TLD, which enhances credibility through an HTTPS connection and use of the target’s employer’s name.
- Warn employees about the risk of phishing campaigns impersonating business services, including messages or log-in pages using organization name, logo, etc.
- Consider detection and response solutions to detect phishing as well as account takeover risk associated with compromised accounts.
Phishing Campaign Imitates HR Department Remote Work Announcement
Attack summary: In this attack, threat actors sent emails purporting to be from HR and requesting employees enroll in remote work policies or services. The emails linked to a malicious Microsoft Sway source. Since Sway is often trusted, this attack vector allowed them to evade existing mail security tools and deceive targets. The attack then collected emails and passwords.
- Inform employees of company policies on secure information. Let them know that HR will never request passwords through online forms.
- Train employees about the risk of phishing attacks exploiting Sway and other credible services
- Implement detection and response services to rapidly detect credential compromise, or account takeover risk services to be informed of compromised accounts.
Zoom User Enumeration Threat Discovered, Remediated
Attack summary: Talos security reports that Zoom’s user search functionality designed to allow users to search for contacts within their organization, could be exploited. The search function did not validate that the requestor belonged to the organization searched, allowing outside actors to receive detailed registered user information. Zoom has since patched the issue.
- Since Zoom has patched the issue, no immediate action must be taken to secure the service.
- However, IT teams should be aware, and should inform employees, that Zoom usernames and employee names may have been exposed, and could be used in future threats.
Zoombombing Hits US Congress Meeting
Attack summary: Zoombombing, where unauthorized users join and disrupt a zoom call, has become a high-profile issue since COVID-19 dramatically increased use of the video teleconferencing service. Recently, a Congressional letter revealed that a member briefing on April 3 was Zoombombed at least three times.
- Ensure that video teleconferencing services require a password for all business meetings
2. COVID Related Attacks by State Actors
Google’s Threat Analysis Group (TAG) Identifies COVID-Themed Attacks By State Actors
Attack summary: TAG published a report discussing over a dozen COVID-themed attacks by state actors. The attackers used COVID-themed messages as phishing and malware lures. TAG highlighted a campaign that targeted US government employees with supposed fast food coupons. TAG also noted that state actors have been targeting international and national health organizations.
- Security teams at health organizations should reassess their posture in light of increased threats from state actors
- Mail security and phishing awareness training should be enhanced
- Detection and response solutions can help detect advanced persistent attackers, such as state attackers, who are attempting to compromise or have compromised business systems.
Suspected Vietnamese threat actors APT32 target Chinese government
Attack summary: APT32 carried out a range of intrusion campaigns against Chinese government targets, including spearphishing against the Ministry of Emergency Management as well as the government of Wuhan. The attacks utilized a decoy document (a New York Times article with a Chinese file title) to install the METALJACK payload. The objective of this campaign was likely to collect nonpublic information from the Chinese government about the COVID-19 outbreak.
- vitlescaux[.]com 2. Email address:
- Institutions with nonpublic COVID information should review and enhance security posture
- Mail and endpoint security should be updated with the most recent threat intelligence to detect malicious domains, addresses, and files
3. Institutions, NGOs Breached
Emails and credentials for WHO, NIH, Gates Foundation dumped online
Attack summary: Unknown actors released a text file containing 25,000 email addresses and passwords supposedly belonging to WHO, NIH, and the Gates Foundation. The link to the file was posted on 4Chan, and it has subsequently been redistributed in far-right extremist spaces. The accounts may have been compromised in an earlier attack and purchased or shared on the dark web.
- Implement account takeover risk solutions to identify compromised credentials available for download
- Use multi-factor authentication to prevent compromised credentials from exposing official services
Attackers Use Pulse Secure VPN Vulnerability to Attack Hospitals, Government Entities
Attack summary: A remote code execution vulnerability was identified in the Pulse Secure VPN over a year ago. Pulse has since issued a patch, but unpatched versions of the software remain active, and credentials exposed through the vulnerability can still be exploited after the vulnerability is patched. The US Cybersecurity and Infrastructure Security Agency (CISA) released a bulletin about this ongoing threat, revealing that hospitals and government entities have had credentials stolen and been attacked with ransomware, and issuing new tools for network administrators to use to secure their environments.
CISA detected a threat actor renaming executable files to avoid application whitelisting and AV protections.
- Filename: t.py Hash: 5669b1fa6bd8082ffe306aa6e597d7f5
- Filename: g.py Hash: 61eebf58e892038db22a4d7c2ee65579
- Patch Pulse Secure VPN and, if necessary, update all credentials that may have been exposed through this vulnerability.
- Review CISA bulletin use tool to determine if your organization has been breached by this attack.
- Implement a vulnerability management solution to ensure that patches are made promptly, and ranked according to exploitation by attackers.
FBI Alerts of Phishing Attacks Against Hospitals and Healthcare Providers
Attack summary: The FBI reports that on March 18, US hospitals and healthcare providers reported a wave of phishing attacks with COVID-related themes, including informational updates and purchase orders. Malicious payloads included Microsoft Word, zipped files, Visual Basic, Java, and Microsoft Executables.
- Review the FBI bulletin for a comprehensive list of IOCs and ensure mail and endpoint security are up to date with these indicators
- Ensure detection and response capabilities are in place to identify any persistent compromise
4. Small Business Administration (SBA) Leaks and Attacks
Loan requestor personal information may have been exposed.
Attack summary: The US COVID aid package included funding for small business loans and grants. To access funds, small businesses needed to apply and provide detailed personal information. The loan application site had an error which may have exposed applicant’s data to other applicants, including social security and tax numbers, financial information and more.
- Remain aware that legitimate sites may leak information, especially if development and release have been rushed.
SBA Spoofed to Distribute Remote Access Trojan
Attack summary: In this attack, malicious actors impersonate the SBA, with a spoofed email and authentic-seeming header. The email claims to be in response to an application for a loan or grant, and directs the recipient to download an attachment and submit it to the SBA. This mirrors actual SBA workflows. However, the attachment runs a process to download Remcos malware. *
- C2 server IPs: 216[.]38[.]7[.]245, 23[.]105[.]131[.]161 2.
- C2 server URL: cqjcc[.]org
- MD5 hashes: 1A1ED019D2B44305D3D0628BCE6FC8DD, 0f73c307276f688efb6b3052b68423a9
Ensure that mail, perimeter, and endpoint security are up to date and will effectively block IOCs from this attack.
Remind employees that phishing campaigns may impersonate a valid, expected email
Use detection and response to identify compromised devices connecting with malicious servers