COVID-19 Cyber Risk Observations by Secuvant’s SOC Team
Apr 05, 2020
As the COVID-19 pandemic continues to disrupt the operations of businesses world-wide, we continue to monitor the cyber security and risk management landscape to remain at the forefront of changes in attack strategies from bad actors. Secuvant’s SOC team has been detecting and responding to cyber activities including: different source countries, uptick in alerts and blocked URLs, new and suspicious domains, attack vectors such as emails with viruses, infected movies, compromised PDFs, malicious URLs and spyware, and spam.
In this SOC update, we have outlined by week the activities and threats the SOC team is monitoring that your business should be prepared for.
April 2, 2020 SOC Update:
In the first couple of days in April, we are following credit card skimming on the rise due to consumer shopping, a new Coronavirus-Themed Malware that locks you out of Windows, more COVID-19 Campaigns coming to light, and BEC scams that use the pandemic as an intrusion vector by posing as a legitimate co-worker providing the latest COVID-19 information. Nearly 68% of spam email uses COVID-19 as its initial infection vector. Information about possible vaccinations provides false hope to unsuspecting victims of the email. Most of these types of emails are written in languages other than English, for instance Italian and Portuguese, or areas hit the hardest by the pandemic. These emails can contain malicious attachments, including documents containing malware, malicious macros, and trojans.
March 27, 2020 SOC Update: 3 New COVID-19 Threats
Three new COVID-19 campaigns has been released as phishing tactics to attack users and businesses. The first campaign involves a targeted phishing email that attempts to lead the victim into disclosing Office365 credentials by clicking on a malicious website disguised as a document. The email gives a timeline to retrieve the documents, in an effort to persuade the user into clicking the link in order to gain the information contained within.
The second campaign involves another email from a spoofed account claiming to be a U.S. biotech firm. The email states the firm is bypassing government agencies, in order to provide the latest on a COVID-19 vaccine. Within the email is an email address on which the victim would click to obtain the information. This type of tactic is typically used to obtain money or personally identifiable information.
The third campaign bears similarities to the second in that it contains information that requires interaction with the actor in order to obtain vaccination information. Some key information of note is the sender’s display name does not match the sender’s email address. Additionally, the reply-to address is yet a different name. Finally, the final indicator of this campaign is the name contained within the email itself. It does not match any of the previous information.
Under the cover of COVID-19 helpful information and applications, threat actors are taking advantage of panic in order to infiltrate the general public with malware. Analyzing the Cerberus malware, Avira researchers have broken down how the malware works, its target set, and Indicators of Compromise.
Cerberus is a banking malware trojan being distributed under the diguise of a Coronavirus application. Using the URL, http://corona-apps.com/Corona-Apps.apk, threat actors have created a blank page that installs an application with, seemingly, no content. The user receives a warning about potential harm from the application being installed.
Additionally, a vulnerable WordPress plugin is allowing threat actors to distribute Coronavirus plugins, as reported by BleepingComputer. The WP-VCD plugin is also being used to compromise other sites hosted on the same shared host. Threat actors behind the WP-VCD backdoor malware have modified versions of Coronavirus plugins that allow for backdoor access to vulnerable websites. The malware is also being used to compromise sites on the same shared host and contact its C2 to receive instructions for execution. The plugins display pop-ups and perform redirects in order to generate revenue. Flagged as Trojan.WordPress.Backdoor.A on VirusTotal, the malware was analyzed by the MalwareHunterTeam. Contained within a zip file is a COVID-19 Coronavirus Live Map, a pirated version of a legitimate, commercially available plugin. The plugin gains persistence by appending code to a PHP file so it is loaded every time a page is loaded.
March 23, 2020 SOC Update:
The new Coronavirus ransomware called Netwalker, is a phishing campaign that uses an attachmend named “CORONAVIRUS_COVID-19.vbs” that contains an embedded Netwalker Ransomware executable and obfuscated code to extract and launch it on the users’ computer. Another sample of a phishing campaign uses the email subject “Corona Virus Latest Updates” and claimed to come from the Ministry of Health. It contained recommendations on how to prevent infection and provided users with an attachment that supposedly contains the latest updates on COVID-19, but actually carried malware.
March 17, 2020 SOC Update:
A fake COVID-19 Tracker App for Android phones, initiates a ransomeware called CovidLock, on users phone blocking access to open the phone passed the lock screen.
As always the Secuvant SOC team will continue to detect, prevent, and protect our clients, as well as inform the general public on new cyber attack strategies that are introduced by hackers taking advantage of the COVID-19 pandemic. If you have any questions on how to best protect your business during this challenging time, please contact one of our security professionals at firstname.lastname@example.org or 855-732-8826.