Share with your friends

While organised crime volumes remain broadly constant, there has been a shift to Covid-19 themed phishing campaigns and fraudulent websites as organised crime groups seek to monetise the fear, uncertainty and doubt many people feel during the pandemic.

Financial Scams

A wide range of COVID-19 related financial scams are in progress.

— Eight cities in the U.S. have fallen victim to a Magecart style card skimming attack, Trend Micro reports. Local government service websites were compromised, allowing credit card skimmers to pass the credit card information to cybercriminals.

— A backdoor named "GoldenSpy" was found in a Chinese bank's official tax software. Two western companies, including a major financial institution and a UK-based technology vendor, installed the tax software to pay local taxes, Trustwave reports.

— A hacking group dubbed CrytoCore stole more than $200 million in virtual currency from several cryptocurrency exchanges over the past two years, ClearSky Cyber Security reports.

— North-Korea based APT Lazarus has added Magecart to their hacking attempts, targeting online payments made by American and European shoppers with one attack in June 2020 affecting a fashion accessory chain, Sansec reports.


Organised crime groups have been building out attack infrastructure to affect corporate infrastructure. 

— European bank has been hit by the largest ever DDoS attack that peaked at a record 809 million packets per second, Akamai reports. The bank has mitigated the attack and indicated a new botnet may have been used.

Conferencing Platforms

While attacks still involve phishing linked to malware delivery, a range of other exploitation techniques are targeting the use of conferencing platforms.

Zoom announced its upcoming event PresenceSummit, which uses live streaming on social media 

Phishing & malware

Extensive COVID-19 themed phishing campaigns are underway with cyber criminals exploiting health organisations, academic institutions, enterprises and their IT infrastructure.

— A new credential phishing attack targeting O365 users purports to send coronavirus training resources to employees returning to the workplace as lockdowns lift around the world, Checkpoint reports.

Symantec Corporation reports Evil Corp, a Russian hacking group, is launching ransomware attacks against 31 U.S. companies, targeting employees working from home due to COVID-19. Researchers have described the 'WastedLocker' ransomware as relatively new and demands ransoms of $500,000 to $1 million.

— The University of California, San Francisco, paid criminal hackers $1.14 million this month to resolve a ransomware attack that encrypted data on its medical school servers, Bloomberg reports. While researchers at UCSF are among those leading coronavirus antibody testing, the attack did not impede its COVID-19 research.

— Multiple electronics and IT firms have been hit by Maze ransomware, with attackers claiming to have stolen large volumes of company data, including source code, Bleeping Computer reports. Link 2

Mobile malware

Mobile devices are not immune from COVID-19 themed attacks.

— The mobile ransomware, CryCryptor, disguised as a Canadian contact tracing app, was distributed on two websites falsely claiming to represent Health Canada, capitalizing on a Canadian government announcement on developing a nationwide contact tracing app, S.C. Magazine reports.

— The FakeSpy Android infostealer malware is spreading via an SMS phishing campaign disguised as legitimate postal-service apps, which once installed steal SMS messages and financial data, Cybereason reports.

Broader threat landscape

— Business email compromise (BEC) attacks focused on invoice and payment fraud with fraudsters engaged in leveraging the COVID-19 pandemic to target victims have jumped 200% from April 2020 to May 2020, Abnormal Security reports.

Attacks targeting servers

Checkpoint researchers have discovered an ongoing, evolving campaign from a known hacking group, "DarkCrewFriends," targeting PHP servers by creating a botnet infrastructure that can be leveraged for monetization and shutting down critical services.

— Docker servers have been hit with the first organized and persistent attacks that infect misconfigured clusters with DDoS malware. The two botnets are running versions of XORDDoS and the Kaiji malware, both previously used to target a complex cloud setup, Trend Micro reports.

Other Observations


Palo Alto Networks reports a critical vulnerability, CVE-2020-2021 found in the operating system (PAN-OS) of all its next-generation firewalls could allow unauthenticated network-based attackers to bypass authentication. The vulnerability has received a 10 out of 10 score on the CVSSv3 severity scale, and the U.S. Cyber Command officials have warned in a tweet, to patch all devices immediately.

F5 Networks has released a security advisory to address a critical remote code execution vulnerability (CVE-2020-5902) in the BIG-IP Traffic Management User Interface (TMUI). An attacker could exploit this vulnerability to control an affected system, with the vulnerability having a CVSS score of 10 out of 10. 

— Researchers have disclosed that 300 Windows 10 executables are vulnerable to DLL hijacking. The vulnerability allows attackers to gain administrative privileges and bypass UAC (user access control) altogether, Bleeping Computer reports.

Cisco has released a security advisory on a Telnet vulnerability (CVE-2020-10188) affecting Cisco IOS XE devices, allowing attackers to take control of an affected system.

Cisco Talos Intelligence reports multiple vulnerabilities in Mozilla Firefox, Firefox ESR and Thunderbird, which includes an information disclosure vulnerability (CVE-2020-12418) resulting in arbitrary code execution.


— The FBI has issued an alert to K-12 schools about the increase in ransomware attacks during the coronavirus pandemic, especially about ransomware gangs that abuse RDP connections to break into school systems, ZDNet reports.

Cybersecurity and Infrastructure Security Agency (CISA) have issued an advisory regarding vulnerabilities in Baxter's four medical IoT devices. These vulnerabilities cover a few infusion pumps and hemodialysis delivery systems related to the use of hard-coded passwords and transmission of data over plain text.

Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory for companies regarding the detection and mitigation of malicious traffic coming from Tor (The Onion Router) with a description of tools that can verify the provenance of Internet traffic.

— The Indian government has banned 59 Chinese apps, including TikTok and WeChat, with the government arguing these apps have been used to collect data on Indian users and sent back to servers in China, The Economic Times reports. An Indian Ministry of Defence cyber advisory provides further details.

Related links