COVID-19 Weekly Threat Roundup: April 24

April 24, 2020

Welcome back to the Arctic Wolf COVID-19 Weekly Threat Roundup. 

This series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period. This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic.

Every Friday we will summarize key cybersecurity news for the week, organized by major themes.  In each item we’ll include a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.

You can read previous roundups on our COVID-19 resources feed, highlighted with the orange threat roundup banner.   

1. Remote Work Attacks Continue

Phishing Campaign Impersonates Skype

Attack summary: Video teleconferencing platforms have emerged as a major site of attacks and theme of phishing campaigns. In this campaign, attackers imitated a legitimate alert from Skype regarding pending emails, including spoofing a credible Skype phone number and email address. The link leads to a fake login page on a .app TLD, which enhances credibility through an HTTPS connection and use of the target’s employer’s name.

IOC(s):

Network:

  • hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
  • hxxps://skype-online0345[.]web[.]app

Recommendations:

  • Warn employees about the risk of phishing campaigns impersonating business services, including messages or log-in pages using organization name, logo, etc.
  • Consider detection and response solutions to detect phishing as well as account takeover risk associated with compromised accounts.

Source: cofense.com

Phishing Campaign Imitates HR Department Remote Work Announcement

Attack summary: In this attack, threat actors sent emails purporting to be from HR and requesting employees enroll in remote work policies or services. The emails linked to a malicious Microsoft Sway source. Since Sway is often trusted, this attack vector allowed them to evade existing mail security tools and deceive targets. The attack then collected emails and passwords.

IOC(s):

URLs: 

  • hXXps://sway[.]office[.]com/5CgSZtOqeHrKSKYS?ref=Link
  • hXXps://netorgft6234871my[.]sharepoint[.]com/:x:/r/personal/enable_payservicecenter_com/_layouts/15/WopiFrame[.]aspx

IP addresses: 

  • 52[.]109[.]12[.]51
  • 13[.]107[.]136[.]9  

Recommendations:

  • Inform employees of company policies on secure information. Let them know that HR will never request passwords through online forms.
  • Train employees about the risk of phishing attacks exploiting Sway and other credible services
  • Implement detection and response services to rapidly detect credential compromise, or account takeover risk services to be informed of compromised accounts. 

Source: cofense.com

Zoom User Enumeration Threat Discovered, Remediated 

Attack summary: Talos security reports that Zoom’s user search functionality designed to allow users to search for contacts within their organization, could be exploited. The search function did not validate that the requestor belonged to the organization searched, allowing outside actors to receive detailed registered user information. Zoom has since patched the issue. 

Recommendations:

  • Since Zoom has patched the issue, no immediate action must be taken to secure the service.
  • However, IT teams should be aware, and should inform employees, that Zoom usernames and employee names may have been exposed, and could be used in future threats. 

Source: talosintelligence.com

Zoombombing Hits US Congress Meeting  

Attack summary: Zoombombing, where unauthorized users join and disrupt a zoom call, has become a high-profile issue since COVID-19 dramatically increased use of the video teleconferencing service. Recently, a Congressional letter revealed that a member briefing on April 3 was Zoombombed at least three times.  

Recommendations:

  • Ensure that video teleconferencing services require a password for all business meetings

Source: threatpost.com

2. COVID Related Attacks by State Actors

Google’s Threat Analysis Group (TAG) Identifies COVID-Themed Attacks By State Actors

Attack summary: TAG published a report discussing over a dozen COVID-themed attacks by state actors. The attackers used COVID-themed messages as phishing and malware lures. TAG highlighted a campaign that targeted US government employees with supposed fast food coupons. TAG also noted that state actors have been targeting international and national health organizations. 

Recommendations:

  • Security teams at health organizations should reassess their posture in light of increased threats from state actors
  • Mail security and phishing awareness training should be enhanced
  • Detection and response solutions can help detect advanced persistent attackers, such as state attackers, who are attempting to compromise or have compromised business systems.  

Source: blog.google/technology

Suspected Vietnamese threat actors APT32 target Chinese government 

Attack summary: APT32 carried out a range of intrusion campaigns against Chinese government targets, including spearphishing against the Ministry of Emergency Management as well as the government of Wuhan. The attacks utilized a decoy document (a New York Times article with a Chinese file title) to install the METALJACK payload. The objective of this campaign was likely to collect nonpublic information from the Chinese government about the COVID-19 outbreak. 

IOC(s):

Domains

  • m.topiccore[.]com
  • jcdn.jsoid[.]com
  • libjs.inquirerjs[.]com
  • vitlescaux[.]com 2. Email address:
  • lijianxiang1870@163[.]com

Recommendations:

  • Institutions with nonpublic COVID information should review and enhance security posture
  • Mail and endpoint security should be updated with the most recent threat intelligence to detect malicious domains, addresses, and files

Source: fireeye.com

3. Institutions, NGOs Breached

Emails and credentials for WHO, NIH, Gates Foundation dumped online 

Attack summary: Unknown actors released a text file containing 25,000 email addresses and passwords supposedly belonging to WHO, NIH, and the Gates Foundation. The link to the file was posted on 4Chan, and it has subsequently been redistributed in far-right extremist spaces. The accounts may have been compromised in an earlier attack and purchased or shared on the dark web.

Recommendations:

  • Implement account takeover risk solutions to identify compromised credentials available for download
  • Use multi-factor authentication to prevent compromised credentials from exposing official services

Sources: washingtonpost.com

Attackers Use Pulse Secure VPN Vulnerability to Attack Hospitals, Government Entities 

Attack summary: A remote code execution vulnerability was identified in the Pulse Secure VPN over a year ago. Pulse has since issued a patch, but unpatched versions of the software remain active, and credentials exposed through the vulnerability can still be exploited after the vulnerability is patched. The US Cybersecurity and Infrastructure Security Agency (CISA) released a bulletin about this ongoing threat, revealing that hospitals and government entities have had credentials stolen and been attacked with ransomware, and issuing new tools for network administrators to use to secure their environments.

IOC(s):

CISA detected a threat actor renaming executable files to avoid application whitelisting and AV protections.

  • Filename: t.py  Hash: 5669b1fa6bd8082ffe306aa6e597d7f5
  • Filename: g.py Hash: 61eebf58e892038db22a4d7c2ee65579

Recommendations:

  • Patch Pulse Secure VPN and, if necessary, update all credentials that may have been exposed through this vulnerability. 
  • Review CISA bulletin use tool to determine if your organization has been breached by this attack. 
  • Implement a vulnerability management solution to ensure that patches are made promptly, and ranked according to exploitation by attackers. 

Source: us-cert.gov

FBI Alerts of Phishing Attacks Against Hospitals and Healthcare Providers

Attack summary: The FBI reports that on March 18, US hospitals and healthcare providers reported a wave of phishing attacks with COVID-related themes, including informational updates and purchase orders. Malicious payloads included Microsoft Word, zipped files, Visual Basic, Java, and Microsoft Executables. 

Recommendations:

  • Review the FBI bulletin for a comprehensive list of IOCs and ensure mail and endpoint security are up to date with these indicators
  • Ensure detection and response capabilities are in place to identify any persistent compromise 

4. Small Business Administration (SBA) Leaks and Attacks

Source: documentcloud.org

Loan requestor personal information may have been exposed. 

Attack summary: The US COVID aid package included funding for small business loans and grants. To access funds, small businesses needed to apply and provide detailed personal information. The loan application site had an error which may have exposed applicant’s data to other applicants, including social security and tax numbers, financial information and more. 

Recommendations:

  • Remain aware that legitimate sites may leak information, especially if development and release have been rushed.

Source: cnbc.com

SBA Spoofed to Distribute Remote Access Trojan

Attack summary: In this attack, malicious actors impersonate the SBA, with a spoofed email and authentic-seeming header. The email claims to be in response to an application for a loan or grant, and directs the recipient to download an attachment and submit it to the SBA. This mirrors actual SBA workflows. However, the attachment runs a process to download Remcos malware. *

IOC(s):

  • C2 server IPs: 216[.]38[.]7[.]245, 23[.]105[.]131[.]161 2.
  • C2 server URL: cqjcc[.]org
  • MD5 hashes: 1A1ED019D2B44305D3D0628BCE6FC8DD, 0f73c307276f688efb6b3052b68423a9 

Recommendations:

Ensure that mail, perimeter, and endpoint security are up to date and will effectively block IOCs from this attack. 

Remind employees that phishing campaigns may impersonate a valid, expected email

Use detection and response to identify compromised devices connecting with malicious servers 

Source: exchange.xforce.ibmcloud.com

 

Previous Article
COVID-Related Cybersecurity Attacks To Be Aware Of
COVID-Related Cybersecurity Attacks To Be Aware Of

We've rounded up some recent coronavirus-related schemes of which you should be aware of, along with a few ...

Next Article
Tips for Securing Your Mobile Workforce
Tips for Securing Your Mobile Workforce

Remote work is the new normal for many organizations. Learn how employees can secure their mobile devices t...

×

Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Company
Country
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!