While organised crime volumes remain broadly constant, there has been a shift to Covid-19 themed phishing campaigns and fraudulent websites as organised crime groups seek to monetise the fear, uncertainty and doubt many people feel during the pandemic.
A wide range of COVID-19 related financial scams are in progress.
— An email spam campaign circulates in the U.S. using COVID-19 and the Family and Medical Leave Act (FMLA) as their theme with attachments containing malicious macros delivering the IcedID banking trojan. IcedID specializes in man-in-the-browser attacks to intercept and steal financial information, Threat Post reports.
— A credential-phishing campaign impersonates a major US bank, with emails that bypass secure gateway protections. Targeted recipients are asked to update their email address warning them their accounts could be recycled if not updated, Threat Post reports.
— A smishing campaign targets millions of self-employed workers using the U.K.’s Self-Employment Income Support Scheme (SEISS). Workers receive an SMS posing to come from Her Majesty’s Revenue and Customs (HMRC) regarding eligibility for a tax refund, leading to theft of personal details, The Fintech Times reports.
— A phishing campaign where attackers impersonate the security team of a large U.S. bank tricking users by sending them a new security key to protect their account, with a malicious attachment that redirects to a credential phishing page, Abnormal Security reports.
Organised crime groups have been building out attack infrastructure to affect corporate infrastructure.
— RiskIQ reports observing 108,449 new domain names containing COVID-19 keywords in them on June 22, 2020.
While attacks still involve phishing linked to malware delivery, a range of other exploitation techniques are targeting the use of conferencing platforms.
— Cisco has added its data loss prevention (DLP) retention, Legal Hold and eDiscovery features to Webex Meetings. They have also published several security advisories for Webex vulnerabilities, including three classified as high severity with one of them allowing remote code execution, Security Week reports.
Phishing and malware
Extensive COVID-19 themed phishing campaigns are underway with cyber criminals exploiting health organisations, governments, enterprises and their IT infrastructure.
— A large scale phishing campaign by the North Korea-linked APT group Lazarus is using government funded COVID-19 initiatives as a lure to gain personal and financial information from recipients. The campaign targets millions of people and several businesses in six countries, including the US, the UK, India, Japan, Singapore and South Korea, Cyfirma reports.
— A phishing campaign targeting European and Asian companies uses recognized brand names to bypass security filters to trick victims into giving up O365 credentials to gain access to corporate networks, Threat Post reports.
— An espionage campaign targets military and aerospace organizations across Europe and the Middle East. Hackers pose as LinkedIn recruiters sending LinkedIn messages or emails luring company employees to extract money and sensitive documents, Hack Read reports.
Mobile devices are not immune from COVID-19 themed attacks:
— Guardsquare, a mobile-application security firm, analyzed 17 Android contact-tracing apps, with most not being able to protect user privacy, prevent the data collected from being misused and lack code hardening techniques.
Broader threat landscape
— Patient records of more than 230K Indonesian COVID-19 patients leaked on the darknet, including patient’s names, addresses, telephone numbers, diagnosis dates and results, Cyble Inc. reports.
— The Australian beverage company Lion has been hit with a ransomware attack shutting down operations like manufacturing and customer service, Security Affairs reports.
— U.S. chipmaker MaxLinear had been breached and systems encrypted by the Maze ransomware. The attackers later leaked 10GB of the company’s accounting and financial data in a double extortion attack, Bleeping Computer reports.
— The Indian conglomerate Indiabulls has been hit with the CLOP ransomware, with attackers leaking screenshots of data, Bleeping computer reports.
— An online food delivery service has confirmed a data breach, exposing the account details of 727,000 customers in 14 different countries, Info Security Magazine reports. Exposed data includes names, addresses, phone numbers, hashed passwords and geolocation data.
— Nearly 270GB of sensitive files from police departments across the U.S. were leaked online, Krebs on Security reports. Information is from 24 years of police work and includes PII, financial data and data regarding suspects. The compromise source is the web service company, Netsential, which many law enforcement agencies use across the U.S.
— According to an internal report, the theft of top-secret cyber tools (Vault7) from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their systems,” The Washington Post reports.
— The Indian Computer Emergency Response Team (CERT) has issued an advisory warning of a large scale phishing attack against individuals and businesses with COVID-19 as bait. Hackers impersonate government authorities to steal personal and financial data.
— A sophisticated, state-sponsored cyber actor is targeting Australia across a range of sectors like government, industry and other critical infrastructure operators, BBC reports. The Australian Cyber Security Center (ACSC) has released a detailed advisory describing related TTPs and IoCs.
— A critical vulnerability that affects 79 NETGEAR router models can let hackers take over devices remotely, letting them run code as “root,” ZDNet reports.
— Adobe has addressed 18 critical code execution flaws across its software product suite, Security Affairs reports.18
— Nineteen newly discovered vulnerabilities in a low-level TCP/IP software library, designed in the 1990s, affects billions of IoT devices ranging from home devices to healthcare. Four of the bugs are critical and may result in remote code execution, ZDNet reports.