The COVID Threat Roundup series provides information designed to help you and your team further defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Each month we summarize key cybersecurity news, organized by major themes.
Each entry includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
You can read previous roundups on our COVID-19 blog feed.
1. Vaccine Pipeline Under Cyberattack
State-Sponsored APT Groups Attack Vaccine Research Firms
Attack summary: Microsoft announced that at least three advanced persistent threat (APT) groups, including Russia’s Fancy Bear and North Korea’s Lazarus and Strontium, have attacked at least seven global organizations involved in vaccine research.
Fancy Bear has used password-spraying attacks, while Lazarus and Strontium have employed spear phishing, impersonating recruiters and the WHO (World Health Organization) respectively. At least some of these attacks have been successful, though the extent of breaches is not known.
- To prevent password-spraying attacks, invest in account takeover risk solutions
- To prevent and mitigate spear phishing, invest in employee training, mail security, and account compromise detection and response
- All organizations at risk from APT groups should invest in vulnerability management and other security posture-hardening approaches
Malware Disrupts Antigen Firm for Weeks
Attack summary: Miltenyi Biotech, a German biotech firm supplying SARS-COV-2 antigens, announced that it had been experiencing ongoing disruption related to malware for several weeks. No information was provided about the specific malware strains responsible, and to date there is no evidence that customer data was compromised.
- Implement risk-management solutions to identify and patch known vulnerabilities and misconfigurations across systems
- Use detection and response tools to identify the spread of malware before it can disrupt business operations
Americold Hit With Likely Ransomware
Attack summary: Americold is a leading operator of temperature-controlled warehouses, providing a vital service to the distribution chain of COVID vaccines and other medical supplies. It was recently hit with a cyberattack disrupting its phone systems, email, inventory management, and order fulfillment. Americold has made no official statement, but sources suggest the cyberattack may have been a ransomware incident.
- To prevent ransomware from being distributed through phishing or malicious attachments, deploy mail security and train employees on email best practices
- To prevent ransomware that exploits known software vulnerabilities, invest in vulnerability management solutions to prioritize and patch
- To prevent ransomware that spreads through Remote Desktop Protocol or other management tools, review permissions and configurations for these capabilities
- To rapidly identify and contain ransomware attack, invest in detection and response solutions
2. Pandemic-Tracking Apps Threaten Privacy
Philippines COVID App Exposes Secure Data
Attack summary: COVID-KAYA is a purpose-built app deployed in the Philippines to allow healthcare workers to automate collection and sharing of case information with the Department of Health. Security researchers found that this app had vulnerabilities disclosing information, potentially including patient data, meant to be secure.
- Custom apps developed on an emergency basis may not fulfill security best practices. Warn employees about the risks of such applications and carefully audit any considered for business use.
Many COVID Apps Collect Sensitive Data
Attack summary: since the beginning of the pandemic, governments and other organizations have invested in mobile applications designed to track the spread of COVID-19, warn individuals who may have been exposed, and disseminate public health information. These apps have also repeatedly raised privacy concerns. A recent review by security researchers found that many of these apps collect a wide range of sensitive data.
- Warn employees about the privacy risks of COVID-19 apps used in your region, especially if they may be installing these apps on devices with company data or functions
3. COVID Phishing Update
Phishing Attack Pretends to Be a Sick Leave Policy Update
Attack summary: COVID-related themes continue to be a mainstay of phishing campaigns. In this attack, threat actors impersonate team members, sharing a document with an updated sick leave policy related to COVID. The malicious URL leads to a fake login page that attempts to harvest user credentials.
- URL: hXXps://objectstorage[.]us-sanjose-1[.]oraclecloud[.]com/n/ax7ybehehrcl/b/office-100345/o/index.html
- IP: 134[.]70[.]124[.]2
- Train employees about the risk of phishing campaigns, including ones impersonating internal policy distribution
- Clarify procedures for sharing company-wide information
- Update mail security to block malicious emails
- Use detection and response solutions to identify compromised credentials before they can be exploited by attackers
Phishing Impersonates UK Government Grant
i.Attack summary: another ongoing theme of phishing campaigns has been the impersonation of government or other relief agencies. In this campaign, attackers purport to be HM Revenue and Customs, a UK government department, offering grants to individuals impacted by the COVID-19 pandemic. The email led to a site which collected valuable PII and transmitted it to attackers.
- URL: hXXp://stimul[.]rcit[.]by/images/engl/csss//Finish[.]php
- IP: 86[.]57[.]173[.]195
- Train employees about the risk of phishing campaigns impersonating government or other relief agencies, especially if hours have been cut
- Use mail security to block malicious emails
- Implement detection and response to identify the loss of PII