Welcome back to the latest edition of the Arctic Wolf COVID-19 Threat Roundup.
This series is part of how we’re helping our customers and the broader cybersecurity community during this challenging period.
This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Each month, we will summarize key cybersecurity news, organized by major themes.
Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
You can read previous roundups on our COVID-19 blog feed, highlighted with the red threat roundup banner.
Ransomware Attacks Continue
University of Utah Pays Ransomware Attackers $457,000
Attack summary: The University of Utah, a Salt Lake City educational institution with about 33,000 students, suffered a ransomware attack against its College of Social and Behavioral Science Unit servers. Attackers encrypted university data and threatened to release it. While details about the ransomware attack have not been made public, the university did mention “a specific weakness” exploited by attackers. The University paid attackers $457,000, in consultation with its cyber insurance provider.
- To prevent ransomware that exploits known vulnerabilities, consider a digital risk management solution to support vulnerability identification, management, prioritization, and patching
- To identify ransomware attacks and contain them before they can encrypt key data, implement a managed detection and response solution
Mobile Ransomware Impersonates COVID-19 Tracing App
Attack summary: since the COVID-19 pandemic first emerged, governments have explored the possibility of using dedicated phone apps to aid in disease tracing and pandemic response. Recently, Health Canada announced such an app, COVID Alert. Malicious actors exploited this announcement to promote deceptive websites appearing to offer this app. In fact, the download contained Android ransomware.
- Train employees about the risk of malicious downloads impersonating official government apps
- Implement clear work from home device policies to prevent encryption of business information by malicious apps
Interpol Highlights LockBit Campaign
Attack summary: Interpol released a report detailing changes in cybercrime observed as a result of the COVID-19 pandemic. One of the four items highlighted in the Americas region was a LockBit ransomware campaign actively targeting medium-sized companies.
- Medium-sized companies should re-assess their security posture in light of new threats emerging during the COVID-19 pandemic.
- Initial LockBit compromises can exploit weak or known passwords and lack of MFA. Consider a digital risk management solution, strong password policies, and MFA security standards.
- LockBit automatically spreads laterally across compromised networks. Detection and response solutions can identify and contain such attacks before they can compromise and encrypt most systems.
Researchers Report Ongoing Ransomware Attacks Against Healthcare
Attack summary: Over the COVID-19 pandemic, cybercriminals have targeted healthcare organizations with ransomware, exploiting the strain on these organizations and their urgent need to avoid downtime and outages. Researchers report that this trend continues, with ransomware campaigns exploiting COVID-19 phishing lures. NetWalker’s shaming blog (which publishes secret data from organizations that do not pay the ransom) indicates that the most commonly targeted vertical is healthcare.
- Train employees to recognize phishing emails
- Implement mail security tools to block phishing campaigns
- Use detection and response solutions to identify ransomware that has bypassed mail security before it can propagate through systems and encrypt data
Struggling Businesses Targeted by Scams
Phishing Campaign Impersonates SBA
Attack summary: these phishing campaigns target business owners. They impersonate the US Small Business Administration, which has been responsible for government aid to businesses. The phishing emails claim that an application has been approved, and that the SBA needs to collect additional information to disburse funds. The email has a link which leads to a credential theft webpage that closely imitates the real SBA login page.
- Train employees, especially business owners and leadership, about the risk of phishing campaigns impersonating the SBA
- Use mail security tools to block phishing emails with known-malicious links
- Deploy detection and response to identify password or credential leakage to phishing campaigns
Business ID Theft Exploits COVID Closures
Attack summary: In business ID theft, attackers impersonate a business to take out lines of credit, make purchases, or otherwise misappropriate funds. With so many small businesses closed temporarily or permanently during the pandemic, there has been a surge of business ID theft, where attackers acquire social security numbers or taxpayer ID numbers and make illegitimate purchases.
- Implement business credit protection policies, including periodic checks with Dun and Bradstreet and state agencies
- Use digital risk solutions to identify compromised PII on the dark web which may expose a business to greater risk of ID theft
Miscellaneous COVID Attacks
“Vishing” Targets the Remote Workforce
Attack summary: a variant on the familiar phishing attack, “voice phishing” or “vishing” campaigns use a combination of malicious phone calls and deceptive digital assets to trick a target into revealing sensitive information or credentials. In this ongoing campaign, attackers impersonate a target business’s IT department and call new hires, attempting to persuade them to provide login credentials to the VPN or other corporate resources. Once this particular group of malicious actors has access to business systems, they quickly seize any digital assets that can be converted into cash.
- Review security training procedures and update policies to include security training at the beginning of onboarding, especially remote onboarding
- Consider use of MFA solutions; physical MFA solutions (e.g., a USB key) may be especially effective at stopping these attacks
- Deploy detection and response solutions to promptly identify suspicious activity and compromised networks
Credential-Stuffing Attack Targets Canadian Government Site
Attack summary: Canada uses the GCKey portal as a single sign-on service for members of the public to access multiple Canadian government services, including COVID-19 aid. Attackers used a credential-stuffing attack to access over nine thousand GCKey accounts, and used this access to siphon away Canadian Emergency Response Benefit funds.
- Train employees about the risk of credential stuffing attacks, and the importance of using independent passwords for different services
- Use a digital risk solution to identify compromised credentials available for exploitation before they are used by attackers
Phishing Attacks Imitate Amazon, Google
Attack summary: phishing campaigns often exploit familiar themes or categories of themes to manipulate targets into clicking on links or divulging personal information. In particular, many phishing campaigns impersonate familiar brands or organizations. Researchers have found that over the course of the pandemic, Amazon and Google have become the most commonly imitated brands, likely because of Amazon’s role in at-home deliveries and Google’s support for remote work.
- Train employees about the ongoing risk of phishing campaigns opportunistically impersonating major corporations and key pandemic services
- Use email security tools to identify and block suspicious emails
- Use detection and response solutions to identify credential loss or other phishing compromise