While organised crime volumes remain broadly constant, there has been a shift to Covid-19 themed phishing campaigns and fraudulent websites as organised crime groups seek to monetise the fear, uncertainty and doubt many people feel during the pandemic.
Financial Scams
A wide range of COVID-19 related financial scams are in progress.
— 130 Twitter accounts have been compromised out of which 45 high profile accounts were used to promote a cryptocurrency scam that yielded more than $120k, ZDNet reports. Investigators believe attackers acquired credentials for a Twitter backend tool using social engineering.
— Mac users are being targeted by trojanized cryptocurrency apps which once downloaded drain victim’s cryptocurrency wallets, Threat Post reports. The four fake apps are rebranded copies of actual cryptocurrency trade application called Kattana.
— A phishing campaign impersonating the Bill and Melinda Gates Foundation is being spread to promote a Bitcoin scam with an attractive quick rich scam — promising to double the amount of Bitcoin sent to an address, Hack Read reports.
Infrastructure
Organised crime groups have been building out attack infrastructure to affect corporate infrastructure.
— RiskIQ reports they have observed 115,274 new domain names containing COVID-19 keywords in them on July 20, 2020.
Conferencing Platforms
While attacks still involve phishing linked to malware delivery, a range of other exploitation techniques are targeting the use of conferencing platforms.
— A previously undisclosed bug in a conferencing platform’s customizable URL feature has been addressed, Checkpoint reports. The bug could have allowed a hacker to pose as a company employee, invite customers and partners to meetings and extract sensitive information using social engineering.
Phishing & Malware
Extensive COVID-19 themed phishing campaigns are underway with cyber criminals exploiting health organisations, academic institutions, enterprises and their IT infrastructure.
— A new phishing campaign that’s pretending to come from a help desk named “servicedesk.com” is mimicing wording used by real IT help desk domains used in corporate environments, Bleeping Computer reports. These emails use enterprise cloud service notifications to steal login credentials.
— A phishing campaign leveraging Amazon, is stealing credentials by using a purported Amazon delivery order failure notice, Armorblox reports. This is linked to a voice phishing attempt informing customers their order would be cancelled if they fail to update their payment details within three days and asking them to do so using a malicious link.
— A phishing campaign with attackers impersonating an email from Microsoft is asking recipients to renew their Microsoft Office subscription through the links provided in order to steal sensitive user information and money, Abnormal Security reports.
— Bleeping Computer reports a French telecommunications company has confirmed it suffered a ransomware attack on its business services division, with the Nefilim ransomware group claiming responsibility and publishing stolen client data.
— A spear phishing campaign in which attackers spoof an internal notification email from the recipient’s company’s HR team, is asking recipients to verify their W2 file document five days before the IRS tax filing deadline, in order to steal user account credentials, Abnormal Security reports.
— The family-owned nursing home for elders in Maryland has announced that it was the victim of a Netwalker ransomware incident, with the operators leaking sensitive information such as names, social security numbers and health information of nearly 50,000 individuals, Bleeping Computer reports.
Mobile Malware
Mobile devices are not immune from COVID-19 themed attacks.
— Threat Fabric reports a new Android malware named BlackRock, designed to steal passwords and credit card data has been distributed as a fake Google update package on third-party sites. The malware uses Accessibility permissions to steal information from 330 apps including Instagram, TikTok and more.
— Experts in Spain have warned that the robots being used to disinfect hospitals with ultraviolet light during the COVID-19 pandemic are vulnerable to cyber attacks and can be remotely taken over to shine their harmful rays on exposed patients or staff, The Telegraph reports.
Vulnerabilities
— A critical, 17 year old wormable RCE vulnerability (CVE-2020-1350) in Windows DNS known as SIGRed has received a patch from Microsoft. SIGRed can allow an attacker to gain Domain Administrator privileges and compromise the entire corporate infrastructure, receiving a severity score of 10/10, Bleeping Computer reports.
— Microsoft has fixed a total of 123 vulnerabilities in July’s Patch Tuesday update, including 18 critical bugs affecting Windows Server, Office and Outlook, Threat Post reports.
— Adobe has released patches for four critical vulnerabilities across five different platforms in its July patch update which include products like Creative Cloud Desktop and Media Encoder with the most important flaws involving privilege escalation, Threat Post reports.
— Cisco has released a fix to 33 flaws in a variety of its devices, the most severe of which can be exploited to conduct RCE and privilege escalation attacks on Cisco’s Small Business Wireless VPN Firewall routers.
Government
— Cybersecurity and Infrastructure Agency (CISA) issued an emergency directive to all federal executive branch offices to apply the patch for the wormable Windows DNS Server bug CVE-2020-1350 within 24 hours to prevent a high potential for compromise of agency information systems. A further advisory urges immediate action to reduce the exposure of operational technology and control systems to cyber attack.
— The U.K’s NCSC, the U.S. Department of Homeland Security (DHS) and Canada’s Communications Security Establishment (CSE) issued an alert on the APT group known as APT29 attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world.