How safe and secure are your company assets and remote workforce? As with many disadvantageous situations, cyber attackers are exploiting COVID-19 to undermine your security via phishing, ransomware, and disinformation campaigns. It is imperative to stay evermore urgent, aware and vigilant of cyber attacker’s activities.
The Fidelis Cybersecurity Threat Research Team (TRT) monitors and tracks emerging and evolving threats and Fidelis uses the threat intelligence they develop to generate new policies, detections, and rules for our Network, Endpoint, and Deception products. This ensures that our customers’ networks remain protected as cyber threats continue to evolve. Our Sr. Intelligence Analyst from the Threat Research Team joins us in this podcast to discuss malware during the time of COVID-19 and how cyber attackers are taking advantage of the pandemic’s turmoil. Listen now to learn about:
- Attacker objectives and activities
- Reported ransomware strains
- Examples of advanced threats and attack campaigns against certain industries and countries
Welcome to the Fidelis Cybersecurity Threat Geek podcast, where we’re joined today by our Sr. Intelligence Analyst from the Threat Research Team. We’ll be discussing malware during the time of COVID-19, and how cyber attackers are taking advantage of the turmoil the pandemic has created.
Attackers always seize on current events as a way to distribute malware – are we seeing any evidence of that with the current situation surrounding COVID-19?
Yes absolutely, as with any major event. And we are seeing these on a daily basis now. We’ve seen external reporting and samples of phishing lures and malware leveraging COVID-19 going back to February 2020, but over the last few weeks it has become more prominent. These adversaries are leveraging public fear, curiosity, and concern as we continue to be hit with information-overload on this situation. People are naturally going to be vulnerable at a time like this, and this effects people globally, rather than just being a community or national issue.
Have we been able to identify attacker objectives?
The intent of many of these campaigns are no different than before. Ransomware operators are holding corporate Files and information hostage, with the recently-adopted data-leak kicker where not only files are encrypted for ransom, but the adversaries are threatening to leak sensitive information if not paid. As with other commodity malware we are seeing typical spyware and credential stealing attempts.
One of the ever-present malware fears for organizations is ransomware. Have we observed increased ransomware activity, and if so, is it related to any known strains?
Reports of ransomware incidents have been high since the middle of last year as more strains and affiliate programs have been introduced. While we don’t track specific numbers, we do see reporting by researchers of Ransomware groups, such as REvil aka Sodinokibi leveraging this topic as well as a recently reported “Coronavirus Ransomware” strain.
Are we seeing this activity being targeted towards specific industries more than others, say the healthcare or financial industries?
Definitely the healthcare industry. The operators behind these campaigns have a special place in hell reserved for them, I hope they arrive there soon. They seem to have specifically shifted efforts against the healthcare industry, with hospitals, research, and biotech firms being impacted by ransomware and having files encrypted with the threat of data leakage. This a vulnerable and critical time for this industry and the potential to react hastily is greater. What was even more interesting, that for some reason duped many people in our own industry, is that these ransomware operators and affiliate programs owners dastardly put out a message last week stating they would hold off from demanding any ransom payment during this crisis, but within days it was observed that they went back on their word. I’m quite surprised many folks were shocked about this.
However in a previous analysis we presented in our weekly report, our Threat Research Team also assessed that in addition the healthcare industry, which is most vulnerable, other industries at high risk from a severe cyberattack include local and federal government, transportation, and retail, as these industries play a key role in response and relief efforts, not only directly in the fight against the virus’s outbreak, but also to maintain some level of civil order by keeping supply lines open and products available.
Do you see a specific regional or geographic central as these attacks are being disseminated?
Not that at this time, and geographic interests can likely change. Each country and government is responding to the situation so it’s all up in the air.
Are attackers strictly leveraging current events to distribute malware, or are we seeing larger disinformation and phishing campaigns as well?
There have been reports of fake, troll accounts on social media designed to spread disinformation on this virus, many of them seeming to be Chinese-language accounts or accounts for people that are of Chinese decent, however the operators behind these accounts are unknown.
In the real, physical world, the use of disinformation and psyops actually has been observed resulting social disruption. One example was an event in the Ukraine that occurred in February. A spoof email posing to come from Ukraine’s health ministry was sent to all recipients in the Ukraine’s Ministry of Health’s contact list claiming that there were five (5) confirmed cases of COVID-19 in the country. This email was sent the same day that evacuees from China arrived into the country. The news circulated and resulted in panicking and violence in a small town where the evacuees arrived. It is not confirmed which group or Adversary was involved in this; however, the Security Service of Ukraine did state that the email originated from outside of the country.
With phishing scams and malware dominating the COVID-19 threat landscape, how will this attack vector continue to evolve?
Phishing lures will always be a staple for threat activity. However, it’s not just limited to phishing. Unkosher mobile apps and websites (peddled via social media) claiming to provide real information or alleged solutions are also leveraged to deliver spyware on victim’s devices. These tactics can be used by both criminals as well as oppressive governments keeping tabs on individuals they deem a person of interest.
What best practices should security organizations observe given the situation, and what steps has TRT specifically taken to protect Fidelis customers?
Fidelis currently has detections in place for its customers to detect for many strains of commodity malware, ransomware behavior, and vulnerability exploit attempts. These include many of the observed threats like AZORult, Hawkeye, Emotet, Netwire, REvil and other ransomware strains based off popular endpoint behaviors, as well as older and popular vulnerabilities leveraged in some of these attacks. Our team actually published an informative technical blog on Netwire a few months ago. TRT currently advises using the same operational security and vigilant protocol when dealing with suspicious emails, by not opening any attachments or clicking on links sent by unknown or suspicious senders, and to report any suspicious activity to your organization’s IT or information security department. The current situation, along with the information-overload environment that this event has created, it is crucial to ensure that well-known and reputable sources are used for any information and updates.
Have we seen any evidence of nation-state sponsored activity?
It would be quite surprising if we had NOT seen any activity tied to suspected nation-state groups. According to research, Nation-state groups believed to be leveraging the COVID-19 topic are reported to be associated with Russia, North Korea, and China, and have been observed targeting organizations and victims in several countries like Vietnam, South Korea, Mongolia, and Ukraine. The adversary group associated with Chinese activity, Vicious Panda, was reported to exploit the “equation editor vulnerabilities” in Microsoft Word as part of the recent COVID-19 -themed campaign. One of the most popular and still-exploited Equation Editor vulnerabilities is CVE-2017-11882, however this wasn’t specifically mentioned in the findings.
This has been very insightful, thank you so much for joining us today.