COVID-19 Cyber Situation Update – 31 March

Despite increasingly stringent measures being taken to slow the outbreak, both in UK hospitals and wider society, the number of cases continues to grow. Hospitals in the UK have cancelled all non-urgent operations for at least three months. Patients considered fit enough to leave have been sent home, and approximately 10,000 extra beds sourced from the private sector to ease pressure on NHS services. [1] Despite these measures, NHS resources are under severe strain and thousands more deaths are anticipated. It is difficult to accurately forecast the medium to long term impact of the pandemic.

The economic damage, however, both in the short and longer-term, is likely to be significant. The prices of oil, gold and other commodities have plummeted. Airlines and holiday agents have borne the brunt of travel restrictions. Thousands of flights have been cancelled, stranding up to a million Britons abroad. On 30 March, the UK government announced it would be committing £75m to help repatriate those that couldn’t secure a flight home. [2] COVID-19 is going to be massively disruptive for all sectors for the foreseeable future.

As the outbreak escalates, we are witnessing a significant uptick in cyberattacks exploiting the fear of coronavirus to compromise victims. Most sectors have been targeted, including government, manufacturing, pharmaceuticals and healthcare organisations. Employees working remotely for the first time have compounded the risk. In response, the National Cyber Security Centre (NCSC) provided guidelines for businesses and staff to work safely from home. [3]

Even those wishing to simply stay in touch with friends and colleagues are not safe. Users of Zoom (for both business and personal calls) are at risk from a large spike in fake domains. An estimated 1,700 new domain names containing the word “Zoom” have been created since January. Fake sites impersonating genuine Zoom domains are the most common, with threat actors attempting to capture users’ personal details; other fake sites push other apps alongside the free software, such as InstallCore. [4]

Recreational callers are not immune: the popular House Party video chat app, which rose to number one on the App Store in the third week of March, appears to have been compromised. Users looking to delete the app have been asked for their password to ‘complete deactivation’; following this, suspicious logins from unrecognised IP addresses or devices on Instagram, Twitter, Spotify, and Netflix have been seen. Subsequent research suggests that in, fact, some users may have reused credentials, entered the login information at a different malicious site, or installed a malicious app. House Party has stated that “All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites.” [5, 6, 8]

An Advanced Persistent Threat (APT) is a skilled offensive cyber group, usually backed or directed by a nation-state. The majority of the APT-backed attacks have been seen in Asia reflecting the origins of the pandemic and the time that both cybercriminals and researchers, respectively, have had to commit and analyse these threats.  Several malicious coronavirus-themed Word documents were identified that appear to have originated with North Korean APT Kimsuky. [9, 10, 11] Some of these delivered BabyShark – a malware, favoured by the group, that is used to exfiltrate data from victims. Targets included South Korean think tanks, government organisations, news corporations, and university professors, among others. Previous Kimsuky campaigns have focused on a similarly broad range of targets, including organisations supporting Korean reunification, cryptocurrency exchanges, think tanks, nuclear power operators and more. [12]

As noted in our previous blog on COVID-19, while ransomware gangs will continue to present a significant threat to businesses, two of the most active groups operating at present, Maze and Doppelpaymer, pledged to avoid targeting healthcare organisations during the coronavirus pandemic. No such promises have been made by other operators, with Sodinikobi/REvil, Ryuk, PwndLocker and Ako having stayed conspicuously silent. [13] The likelihood of these threat actors targeting an organisation on the healthcare frontline was demonstrated when, overnight on 26 March, a security researcher observed Ryuk being deployed against an unnamed US healthcare provider.

There has been a significant uptick in malicious emails using coronavirus-themed lures to disseminate malware. A substantial number of these purport to have been sent from the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC). The types of lure documents and the strains of malware being used are wide-ranging. Victims have been sent malicious Word, Excel, ISO, PIF and PDF files, among others. These have delivered malware including the TrickBot banking Trojan, Ostap downloader, Remcos RAT, Emotet, Nanocore RAT, Agent Tesla keylogger, Lokibot infostealer, Ryuk ransomware, Hancitor Trojan and Bisonal malware. A feed of COVID-19 themed malware is available via MalwareBazaar here.

In addition, researchers recently observed a notable new malspam campaign targeting the healthcare and manufacturing sectors in the US. The emails featured the subject “Please help us with Fighting corona-virus” and delivered the Redline Infostealer. This is a novel piece of malware offered as malware-as-a-service on Russian cybercrime forums. Subscriptions cost between $100 and $200 a month, depending on the package. The malware can steal login credentials, cookies, autocomplete fields and credit cards details, among other information. [1]

There has been a significant increase in suspicious coronavirus-themed domains registered in the past few months. Since January 2020, more than 4,000 coronavirus-related domains have been registered globally. Approximately 3% of these were confirmed as malicious and an additional 5% deemed suspicious. Based on these figures, coronavirus-themed domains are approximately 50% more likely to be malicious than others registered during the same period. [1] A feed of suspicious new COVID-19 domains, published by security researcher ‘dustyfresh’, is available here.

Some of these domains have hosted websites masquerading as coronavirus tracking maps, others are standard phishing pages being delivered in coronavirus-themed emails. In many instances, these are untargeted and distributed in bulk to potential victims. However, there have also been instances of targeted coronavirus phishing campaigns. A notable example was received by NHS personnel. All non-official coronavirus-themed domains should be treated with suspicion and avoided where possible. Staff across all sectors are highly likely to continue receiving both targeted and generic coronavirus-themed phishing emails going forward.

Over time, malicious coronavirus-themed apps are expected to proliferate. These are likely to become increasingly sophisticated, as cybercriminals invest time and money creating more convincing and effective apps. Victims face the risk of financial costs, identity theft and data loss. Healthcare organisations, by contrast, may find it more difficult to disseminate potentially life-saving information, if users become wary of trusting apps and websites distributing coronavirus updates.

As expected, the unprecedented demand for protective equipment has fuelled a burgeoning supply of counterfeit goods. During a week of action, Interpol seized more than 34,000 counterfeit and substandard masks, alongside various fake products, including “corona spray”, “coronavirus packages” and “coronavirus medicine”. [8] Many of these are now being offered for sale on the darknet, as can be seen below. Some will be genuine products, potentially purchased by price gougers before the restrictions on sale were implemented. Others will undoubtedly be fake, putting the purchaser’s health at risk alongside those that they come into contact with.

Our TLP Green Cyber Threat Intelligence Report on COVID-19-related cyberattacks and scams can be found here.

What to do:
  • Ensure antivirus software is kept up to date.
  • Do not open files or links from sources that you do not know.
  • Be suspicious of any vendor requesting to divert payments to a different bank account. Always verify that the switch is legitimate.
  • Avoid coronavirus-themed apps and unofficial websites.
  • Test staff with coronavirus-themed phishing simulations.
  • Delete emails claiming to be from the CDC or WHO. The latest updates from both are available here and here.
  • Ignore all online adverts for vaccinations.
  • Only purchase masks, hand sanitiser and related products from reputable stores.