COVID-19 Attacks – Defending Your Organization

Overview

The Coronavirus 2019 (COVID-19) global pandemic has caused widespread fear of the unknown and deadly aspects of this novel virus, generated growth in certain industries to combat it, and created a shift toward remote work environments to slow the spread of the disease. 

Defending Your Organization Against COVID-19 Cyber Attacks. In this webinar, AJ, and I describe COVID-19 attacks in January through March, the groups behind them, and key MITRE ATT&CK techniques being employed. We then discuss ways an organization can keep themselves safe from these types of attacks.

Pandemic Background

COVID-19 is a pandemic viral respiratory disease, originally identified in Wuhan, China in December 2019. At the time of the webinar, it had infected around 1.5 million people worldwide. Within the first month, cyber actors capitalized on the opportunity. 

COVID Attack Timeline

December 2019 - January 2020

At the end of December 2019, China alerted the World Health Organization (WHO) that there was an outbreak in Wuhan, China.

Within a month, the first cyber events were being recorded. Around January 31, 2020, malicious emails (T1566.001) using the Emotet malware (S0367) and a phishing campaign (T1566.001) using LokiBot (S0447) were tied to TA542 alias Mummy Spider. Emotet, in particular, was prolific. It originally started as a banking Trojan, then evolved into a delivery mechanism for an initial payload that infected systems to download additional malware families such as TrickBot (S0266). Around this same time, there was a marked increase in the registration of domain names with COVID-19 naming conventions, a key indicator of an uptick in phishing campaigns.

February 2020

In early February, the progression of adversaries using uncertainty about and thirst for information regarding the COVID-19 pandemic became apparent. New malware variants and malware families were reported employing coronavirus related content, including NanoCore RAT (S0336) and Parallax RAT, a newer remote-access Trojan, to infect unsuspecting users. Throughout February, cybercrime actors launched several phishing campaigns (T1566.001) to deliver information stealer AZORult (S0344).

With worldwide government health agencies giving advice on cyber and physical health, threat actors aligned with nation-states such as Russia (Hades APT), China (Mustang Panda), and North Korea (Kimsuky - G0094) used this messaging to lure individuals to download and/or execute malicious files disguised as legitimate documents. These state-sponsored groups used convincing lures to impersonate organizations such as the United Nations (UN), the World Health Organization (WHO), and various public health government agencies to achieve short- and long-term national objectives.

March 2020

In March, we observed a flurry of nation-state and cybercrime attributed malicious activity seeking to exploit the COVID-19 pandemic. Cybercrime actors distributed a range of malware families, including NanoCore (S0336), AgentTesla (S0331), LokiBot (S0447), TrickBot (S0266), Kpot, Hawkeye, AZORult (S0344), and RedLine Stealer - new malware at the time - attempting to exploit unsuspecting users. These campaigns used a variety of delivery methods such as spam or phishing emails, Smishing, rogue mobile applications, or malicious websites. The lures sought to entice recipients to engage with the malicious content by impersonating legitimate healthcare related organizations offering guidance on pandemic response and defense or financial relief. Notable financially-motivated actors, TA505 (G0092) alias Graceful Spider and TA564, delivered Get2 loader (S0460) or the Ursnif banking Trojan (S0386) using pandemic safety measures- or information updates-themed phishing emails. 

Around this time, ransomware operators became more visible in abusing the COVID-19 pandemic to their advantage. With most people working remotely, information received through unfamiliar sources generally increased and it became harder for email users to distinguish between legitimate and malicious documents. Notably, several NetWalker ransomware (S0457) incidents reportedly targeted US- and Europe-based hospitals and an Australian transportation company. Generally, ransomware operators commonly take advantage of security weaknesses in Internet-connected systems (T1190) and social engineering attacks such as phishing emails to infect their targets. The indiscriminate targeting by ransomware operators especially against hospitals continues to be a significant concern as the disruptions of systems could result in interruptions in patient care and possible loss of life at a time when medical facilities continue to be overwhelmed with cases.

We also observed a continuation of advanced persistent threat (APT) groups utilizing Coronavirus-themed lures in their campaigns, including but not limited to China-affiliated operations attributed to Mustang Panda and Vicious Panda. Mustang Panda utilized malicious shortcut files (LNK) to drop decoy documents related to COVID-19 to target Taiwan and Vietnam. Vicious Panda reportedly targeted the Mongolian public sector leveraging faux RTF documents that exploited Microsoft Word vulnerabilities to deliver a previously unknown malware implant. Additionally, we observed two other nation-state groups - Pakistan-based APT36 target the government of India and Korea-based Higaisia likely targeting English-speaking individuals and entities - launch campaigns. APT36 used spear phishing emails embedded with a malicious hyperlink (T1566.002) to convince their targets to download a COVID-19-related lure document that dropped the Crimson RAT (S0115) when executed. Meanwhile, Higaisia sent out lure documents, dropped by a malicious .lnk file, downloaded from the WHO website. The .lnk file used a multi stage process to deliver a decoy PDF document and the final payload PlugX (S0013).

MITRE ATT&CK

With greater protection measures being put into place by the target entities, threat actors were observed creating tactics to evade those defenses. Of the 56 identified ATT&CK techniques identified in this timeframe, the most common tactic employed was Defense Evasion (TA0005), observed in a quarter of all COVID-19 related attacks. During this period, the most common observed technique was Software Discovery: Security Software Discovery (T1518.001). As a technique, Defense Evasion is defined as avoiding detection by hiding in trusted processes, obfuscating malicious scripts, and disabling security software. The next most common tactic, Discovery (TA0007), involves knowledge of a victim network or host.

Overall, the most common technique for obtaining an initial foothold in targeted environments (TA0001)  was Phishing: Spearphishing Attachment (T1566.001) observed in 17% of reported attacks. This indicates a strong call for training the workforce to discern a legitimate document from one that is potentially malicious.

Protecting the Enterprise

Anomali continues to assess that cybercrime and nation-state threat actors will exploit COVID-19 themes for the remainder of the year and well into the new year. We expect that as the pandemic evolves, threat actors will shift and seize on thematic attacks on the latest COVID-19 messaging such as financial relief and vaccine development and availability. The below recommendations offers general guidance on securing your environment against COVID-19 related attacks:

  • Educate the workforce – As we move into a greater remote workforce, it becomes essential to educate workers on spotting, identifying, and reporting any suspicious emails, or SMS text messaging or submission. 
  • Email authentication protocols – Publish DNS records with strict policies for SPF (-all), DKIM (RSA key pair >1024 bits), DMARC [p=quarantine].
  • Multi-factor Authentication (MFA) – As the next line of defense, MFA reduces the likelihood of being fully compromised.
  • Patch and update applications – Because of the remote workforce, the corporate footprint is now much larger and it is vital to patch and update applications both in the home and enterprise environments. 
  • Network segregation – Enforcing network segregation policy will help isolate any unpatchable, at-risk, high-value assets.
  • Monitor sources of threat information – Monitoring internal commercial and open source intelligence sources and then tagging specific consumables that are COVID-19 related allows the organization to quickly identify campaigns or attacks. 
  • Investigate COVID-19 TTPs – Tracking COVID-19 related threats enables the identification of how an attack happened and if the appropriate security controls are enabled. This data can serve as a business justification for security investments that counter COVID-19 threats.

Topics:

Cyber Threat Intelligence

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.