COVID-19 Weekly Threat Roundup: June 12

June 12, 2020

Welcome back to another edition of the Arctic Wolf COVID-19 Weekly Threat Roundup.  

This ongoing series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period.  

This news is designed to help your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we'll summarize key cybersecurity news for the week, organized by major themes.  

Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.  

Check out previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.  

1. COVID Phishing Updates 

Phishing Campaign Impersonates UK Government, uses Dropbox 

Attack summary: In this campaign, attackers impersonate the UK government’s Small Business Grants Fund. They target business owners with an email purporting to deliver a PDF regarding relief payments. The link leads to a Dropbox page, which in turn leads to a fake Office 365 login page, which steals the target’s credentials.  

Recommendations

  • Employees (including management and owners) should be warned of the risk of phishing campaigns impersonating expected emails 
  • Train employees not to login through suspicious, multi-step links 
  • Use account takeover risk solutions to identify compromised credentials available for sale online 
  • Use detection and response tools to identify active compromises of business accounts and malicious activity  

Sources: bleepingcomputer.com and abnormalsecurity.com

Phishing Campaign Impersonates Zoom Invite 

Attack summary: In this campaign, targets receive an email that contains a vague invitation to a Zoom meeting. Attackers registered a top-level domain that resembles a legitimate Zoom link with strategic misspellings—zoomcommuncations[.]com/ or zoomvideoconfrence[.]com/. When targets click the link to “REVIEW INVITATION” they are shuttled through several obscuring redirects to a phishing page hosted on Azure, which then attempts to harvest their Office 365 credentials.  

IOC(s)

Network IOC   

  • hxxps://r[.]smore[.]com/c?u=pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44?e5=REDACTED[@]company.com 
  • hXXp://www[.]pastell[.]in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44 
  • hXXps://logonmicrosftonlinezoomconference[.]azureedge[.]net/ 

IP 

  • 52[.]27[.]29[.]106  
  • 209[.]159[.]154[.]74 
  • 13[.]107[.]246[.]10 

Recommendations

  • Update mail, network, and endpoint security with latest IOCs to identify and block phishing attacks 
  • Use detection and response solution to identify when user credentials have been transmitted to attackers 

Source: cofense.com

COVID-Related Filenames Continue for Malware  

Attack summary: As the initial surge of attention to the COVID-19 pandemic has abated, phishing campaigns and other attackers have pivoted back to more traditional themes, such as fake financial emails, business communications, or package deliveries. However, even these traditional campaigns continue to contain COVID-19 elements, such as COVID-19 related filenames for malicious attachments. Researchers have identified COVID-related filenames for malicious software including GuLoader and Agent Tesla in recent campaigns.  

IOC(s)

Filenames 

  • 1015floopydiskonlinecovidvirus.bin 
  • distribucija zaštitne opreme covid-19 (ministarstvo zdravlja srbije) 2020 (136 kb) 
  • covid-19 testing kits.xls.exe 

Recommendations

  • Update endpoint security to block known malware strains 
  • Train employees about the ongoing risk of COVID-related phishing and malware 
  • Deploy detection and response solutions to rapidly identify systems compromised by malware, enabling effective response and remediation  

Source: crowdstrike.com

COVID Phishing May Have Driven Overall Phishing Spike  

Attack summary: The COVID-19 pandemic led to a dramatic rise in COVID-related phishing campaigns. However, defenders may have wondered: was COVID-19 phishing merely substitutive, or did it drive an increase in overall phishing? Researchers reviewing phishing trends over the past several years found a dramatic rise in phishing campaigns from Q4 2019 to Q1 2020 (growth of over 85%), which they attribute in part to more sophisticated phishing kit availability, and in part to COVID-19 phishing themes.    

Recommendations

  • Organizations should prioritize security solutions applicable to phishing, including mail security, employee training, and detection and response 

Source: symantec-enterprise

2. Health Institutions Targeted 

German PPE Ecosystem Under Attack 

Attack summary: this campaign targeted over one hundred high-ranking executives at a German corporation responsible for PPE procurement and related organizations. Attackers used advanced techniques to redirect individual targets to attacker-controlled login pages designed to steal Microsoft credentials. It is unclear how many accounts were compromised, and the attack campaign is still ongoing. The scale and sophistication of the attack indicate either a highly organized criminal group or state-sponsored actors.  

IOC(s)

IP 

  • 178[.]159[.]36[.]183 

Recommendations

  • Organizations involved with coronavirus-related procurement, even tangentially, should strengthen their security posture 
  • Consider detection and response solutions to identify advanced persistent threats, regardless of attack vector used 
  • Employ risk management solutions to identify and prioritize vulnerabilities most likely to be exploited by sophisticated attackers 

Source: securityintelligence.com

Netwalker Ransomware Continues to Hit Medical Targets 

Attack summary: in light of the COVID-19 pandemic, many threat actors reduced or delayed attacks against medical organizations. However, NetWalker, a ransomware strain typically delivered through malicious attachments or trojanized applications, continues to attack medical facilities. Attackers will also publish stolen data as a further means of leverage against targets.  

IOC(s)

SHA1 

  • bf38aca2c659f9eb2b2fa2fad82ccf55b496b0cb 
  • 77676865f875eff23699189f57c37c76b92ba2b9 
  • 8e7a5500007c1552e1231bd1157433f7ef638672 
  • e20a4cc7f13f517491e772ce9e5c236aad2785f0 
  • a2c17f04ce259125bc43c8d6227ef594df51f18a 
  • 3d845a707f2825746637922d7dd10fab18558209 
  • 03023d7e3a54d915cca82429dfeedb1bebd5c182 
  • 7301382916d9f5274a4fb847579f75bc69c9c24b 

SHA256 

  • 853fa18adc3f9263a0f98a9a257dd70d7e1aee0545ab47a114f44506482bd188 
  • bd3fdf1b50911d537a97cb93db13f2b4026f109ed23a393f262621faed81dae1 
  • 868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9 
  • 44b5d24e5e8fd8e8ee7141f970f76a13c89dd26c44b336dc9d6b61fda3abf335 
  • ce399a2d07c0851164bd8cc9e940b84b88c43ef564846ca654df4abf36c278e6 
  • 8587037c15463d10a17094ef8fa9f608cc20c99fa0206ce496b412f8c7f4a1b8 
  • ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ec 
  • 346fdff8d24cbb7ebd56f60933beca37a4437b5e1eb6e64f7ab21d48c862b5b7 

Recommendations

  • Update endpoint security with hashes and IOCs to block ransomware 
  • Use detection and response solutions to identify ransomware attacks in progress and respond before key systems are encrypted or key data is stolen 

Source: labs.sentinelone.com

 

Previous Article
How a COVID-Inspired Cyber Fraud Cost Washington State Hundreds of Millions of Dollars
How a COVID-Inspired Cyber Fraud Cost Washington State Hundreds of Millions of Dollars

Find out how a massive unemployment fraud scheme cost Washington state hundreds of millions of dollars.

Next Article
Introducing Security Operations: The Path to Security Effectiveness
Introducing Security Operations: The Path to Security Effectiveness

The cybersecurity industry has an effectiveness problem. Despite constant innovation, high-profile breaches...

×

Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Company
Country
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!