Skip to main content

COVID Threat Roundup: September 2020

The COVID Threat Roundup series provides information designed to help you and your team further defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Each month, we've been summarizing key cybersecurity news, organized by major themes.  
Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.     
You can read previous roundups on our COVID-19 blog feed.

1. Reopening Schools Targeted by Ransomware, Other Cyberattacks 

Ransomware Delays Hartford Schools Start Date 

Attack summary: Shortly before its scheduled reopening, attackers used ransomware to disable key IT systems across the Hartford School District. Although the malware specified that it was ransomware, the district received no specific ransom request, and opted to delay school and begin recovery activities rather than communicate with the attackers.  
  • Ransomware attacks typically use malicious emails, known vulnerabilities, or misconfigured remote access protocols to compromise systems. Implement mail security, and vulnerability and configuration management solutions to mitigate these areas of risk
  • Use detection and response solutions to identify systems compromised by ransomware before attackers have the opportunity to move laterally and compromise additional systems

Fairfax, Clark Counties School Data Encrypted, Leaked 

Attack summary: Fairfax County Public Schools in Virginia, the 10th largest school district in the US, revealed that some district systems have been compromised by ransomware. Although district officials did not reveal the ransomware strain, the Maze ransomware group claimed credit for the attack and already released some data said to be stolen from the district. The Clark County School District in Las Vegas experienced a similar attack.  
SHA 256 hashes
  • 19aaa6c900a5642941d4ebc309433e783befa4cccd1a5af8c86f6e257bf0a72e 
  • 6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13 
  • 9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1 
  • 50db9229db2f37a7eb5368308de3aafcea0fd217c614daedb7f334292d801e 
  • The Maze ransomware group is known to use Flash vulnerabilities, the RDP protocol, and emails impersonating government agencies to distribute the ransomware
  • Use vulnerability and configuration management tools to prevent ransomware attackers from accessing systems
  • Train employees about the risk of malicious emails, including those from senders impersonating government agencies
  • Deploy a detection and response solution to identify ransomware attacks before they can encrypt key systems or exfiltrate sensitive data

2. Hospitals Hit With Ransomware 

Universal Health Service hospitals hit by nationwide Ryuk attack 

Attack summary: UHS, a hospital and healthcare services provider with over 400 locations in the US and UK, was hit with a ransomware attack that affected key medical systems, including radiology, EKGs, and other equipment, at sites across the country. The timing and appearance of the attack, including messages on the ransom screen and the .ryk file extension used by the malicious software, strongly suggest that the Ryuk ransomware strain was used. Security researchers believe that UHS was originally compromised by a phishing campaign delivering the Emotet trojan. 
  • Train employees about the risks of malicious attachments in email systems 
  • Update mail security with the latest threat intelligence 
  • Implement detection and response solutions to identify ransomware before it can spread laterally across IT systems 

University Hospital of New Jersey attacked by SunCrypt 

Attack summary: SunCrypt, a ransomware organization active since the fall of 2019, leaked sensitive patient information exfiltrated from UHNJ in a September ransomware attack. The initial vector of compromise for the UHNJ network may have been a TrickBot trojan. 
  • TrickBot is typically spread via spam campaigns and exploitation of known vulnerabilities. In addition to mail security and training, implement a vulnerability management solution and patching cadence to reduce exposure to TrickBot. 
  • Consider detection and response solutions to identify systems compromised by trojans before they can be used to deploy ransomware. 

3. COVID Phishing Updates 

Medical supplies phishing campaign delivers Agent Tesla malware 

Attack summary: In this phishing campaign, malicious actors purport to be suppliers of medical equipment relevant to the COVID-19 pandemic, including facemasks and thermometers, and impersonate real employees at various companies. They encourage targets to download a file. 
Attachment: Supplier-Face Mask Forehead Thermometer.pdf.gz  
  • MD5: fdfaaf9efb8507262ee9b97324bbb69a 
  • SHA1: 846da85a2f2e6e79ebc7ed84b00ed97af513c80f 
  • SHA256: b419849ce915ede72fda1ea0b566651e233ef5eaffbf8b9211bd44085407ad5e 
Executable: Supplier-Face Mask Forehead Thermometer.pdf.exe 
  • MD5: 64bc654373549584f7e596de24e1d8cc 
  • SHA1: 6a39bd3ddaa2c9846e2a4912a80fd718eaee622f 
  • SHA256: 53445247552485c277400bafba84458670f0c1001c91b4f0bcc15935c12d662b  
Command and Control Server: us2[.]smtp[.]mailhostbox[.]com 
Sender IP Addresses
  • 209[.]58[.]149[.]65 
  • 203[.]188[.]252[.]14 
  • 185[.]66[.]40[.]36 
  • 50[.]28[.]40[.]153 
  • 62[.]210[.]83[.]136 
  • 72[.]32[.]232[.]136 
  • 95[.]216[.]16[.]146 
  • 209[.]58[.]149[.]66  
  • 89[.]33[.]246[.]113 
  • 178[.]239[.]161[.]164 
  • 156[.]96[.]47[.]65 
  • 209[.]58[.]149[.]69 
  • 95[.]211[.]208[.]50 
  • 209[.]58[.]149[.]87 
  • 37[.]48[.]85[.]232 
  • 208[.]91[.]199[.]224 
  • Train employees about the risk of COVID-related phishing campaigns, including those which offer valuable supplies 
  • Use mail-security tools to identify and block emails from malicious senders 
  • Use detection and response solutions to swiftly discover and effectively contain malware that has compromised systems  

PPE Phishing 

Sepulcher Trojan Campaigns Impersonating the WHO Continue  

Attack Summary: In these phishing campaigns, malicious actors impersonate the WHO and purport to offer updated technical or geographic guidance regarding the COVID-19 pandemic. However, the emails actually deliver the Sepulcher remote access trojan.  
  • Train employees about the risk of COVID-related phishing campaigns, including those that purport to offer important medical or public health updates 
  • Use mail security to block, and detection and response solutions to discover, malicious attachments and applications 

4. Miscellaneous COVID-Related Threats Update 

Pandemic Drives Dark Web Sales of Delivery Service Accounts 

Attack summary: Security researchers regularly evaluate the price of various compromised accounts for sale on the dark web. The most recent  reports show that delivery service accounts such as Instacart, Drizzly, and DoorDash are now for sale and highly valued. This represents a dramatic change from before the COVID-19 pandemic, when such accounts were typically not sold on the dark web. 
  • Train employees about the risk of compromise for their personal delivery services 
  • Use account takeover risk solutions to identify any compromised credentials that may be used for both personal and business accounts