Welcome back to another edition of the Arctic Wolf COVID-19 Weekly Threat Roundup.
This ongoing series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period.
This news is designed to help your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Every Friday we'll summarize key cybersecurity news for the week, organized by major themes.
Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
Check out previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.
1. COVID Phishing Updates
Phishing Campaign Impersonates UK Government, uses Dropbox
Attack summary: In this campaign, attackers impersonate the UK government’s Small Business Grants Fund. They target business owners with an email purporting to deliver a PDF regarding relief payments. The link leads to a Dropbox page, which in turn leads to a fake Office 365 login page, which steals the target’s credentials.
- Employees (including management and owners) should be warned of the risk of phishing campaigns impersonating expected emails
- Train employees not to login through suspicious, multi-step links
- Use account takeover risk solutions to identify compromised credentials available for sale online
- Use detection and response tools to identify active compromises of business accounts and malicious activity
Phishing Campaign Impersonates Zoom Invite
Attack summary: In this campaign, targets receive an email that contains a vague invitation to a Zoom meeting. Attackers registered a top-level domain that resembles a legitimate Zoom link with strategic misspellings—zoomcommuncations[.]com/ or zoomvideoconfrence[.]com/. When targets click the link to “REVIEW INVITATION” they are shuttled through several obscuring redirects to a phishing page hosted on Azure, which then attempts to harvest their Office 365 credentials.
- Update mail, network, and endpoint security with latest IOCs to identify and block phishing attacks
- Use detection and response solution to identify when user credentials have been transmitted to attackers
COVID-Related Filenames Continue for Malware
Attack summary: As the initial surge of attention to the COVID-19 pandemic has abated, phishing campaigns and other attackers have pivoted back to more traditional themes, such as fake financial emails, business communications, or package deliveries. However, even these traditional campaigns continue to contain COVID-19 elements, such as COVID-19 related filenames for malicious attachments. Researchers have identified COVID-related filenames for malicious software including GuLoader and Agent Tesla in recent campaigns.
- distribucija zaštitne opreme covid-19 (ministarstvo zdravlja srbije) 2020 (136 kb)
- covid-19 testing kits.xls.exe
- Update endpoint security to block known malware strains
- Train employees about the ongoing risk of COVID-related phishing and malware
- Deploy detection and response solutions to rapidly identify systems compromised by malware, enabling effective response and remediation
COVID Phishing May Have Driven Overall Phishing Spike
Attack summary: The COVID-19 pandemic led to a dramatic rise in COVID-related phishing campaigns. However, defenders may have wondered: was COVID-19 phishing merely substitutive, or did it drive an increase in overall phishing? Researchers reviewing phishing trends over the past several years found a dramatic rise in phishing campaigns from Q4 2019 to Q1 2020 (growth of over 85%), which they attribute in part to more sophisticated phishing kit availability, and in part to COVID-19 phishing themes.
- Organizations should prioritize security solutions applicable to phishing, including mail security, employee training, and detection and response
2. Health Institutions Targeted
German PPE Ecosystem Under Attack
Attack summary: this campaign targeted over one hundred high-ranking executives at a German corporation responsible for PPE procurement and related organizations. Attackers used advanced techniques to redirect individual targets to attacker-controlled login pages designed to steal Microsoft credentials. It is unclear how many accounts were compromised, and the attack campaign is still ongoing. The scale and sophistication of the attack indicate either a highly organized criminal group or state-sponsored actors.
- Organizations involved with coronavirus-related procurement, even tangentially, should strengthen their security posture
- Consider detection and response solutions to identify advanced persistent threats, regardless of attack vector used
- Employ risk management solutions to identify and prioritize vulnerabilities most likely to be exploited by sophisticated attackers
Netwalker Ransomware Continues to Hit Medical Targets
Attack summary: in light of the COVID-19 pandemic, many threat actors reduced or delayed attacks against medical organizations. However, NetWalker, a ransomware strain typically delivered through malicious attachments or trojanized applications, continues to attack medical facilities. Attackers will also publish stolen data as a further means of leverage against targets.
- Update endpoint security with hashes and IOCs to block ransomware
- Use detection and response solutions to identify ransomware attacks in progress and respond before key systems are encrypted or key data is stolen