sign in sign up
<<
Home , Remote administration

Weekly Bulletin S21sec COVID-19

May 22, 2020

S21sec’s Threat Intelligence Department CYBERSECURITY YOU CAN TRUST

Massive phishing attack

Microsoft is warning of an ongoing COVID-19 themed phishing campaign that installs the NetSupport Manager remote administration tool.

The attack starts with emails pretending to be from the Johns Hopkins Center, which is sending an update on the number of Coronavirus-related deaths in the United States. Attached to the email there is an Excel document entitled “covid_usa_nyt_8072.xls” that once opened and the malicious macros enabled, would execute the .

According to researchers, the Excel files in this campaign use strong obfuscation formulas and connect to the same URL to download the malware and compromise the by taking remote control of them, executing commands and installing tools and scripts.

In addition to the credentials theft suffered by the victims of this campaign, compromised computers can be used by attackers to laterally spread malware throughout the network, so it is recommended to change . https://www.bleepingcomputer.com/news/security/microsoft-war- ns-of-massive-phishing-attack-pushing-legit-rat/

Scattered Canary Group scam on COVID

The labor and economic crisis caused by the coronavirus has left more than 20 million U.S. citizens unemployed. In response to this situation, Nigerian scammers known as "Scattered Canary" have launched a fraudulent campaign through the website created by the IRS (Internal Revenue Service) which consisted on filing claims based on the CARES Act for financial assistance caused by the COVID-19 pandemic.

To file such claims, personal data such as name, address, date of birth and social security number are required. According to investigators, the actor behind this fraud used social security numbers and personal identification information of identity theft victims, and created fake accounts on websites in order to process payments.

Fraudulent unemployment claims were detected in Washington (174), Massachusetts (17) and Hawaii (2). Among the claims submitted that were accepted, the fraudsters received notifications of the amount to be received and the payment of this amount by means of Green Dot prepaid cards. The investigators identified at least 47 prepaid cards under the name of the same impersonator. https://www.bleepingcomputer.com/news/security/bec-scam- mers-target-unemployment-and-cares-act-claims/ CYBERSECURITY YOU CAN TRUST

Attacks on Romanian hospitals

The "Pentaguard" group from Romania has been arrested after a house raid. The Directorate for the Investigation of Organized Crime and Terrorism (DIICOT), points out that the group of cybercriminals would be carrying out illegal operations by means of SQL injection to compromise and deface websites of public institutions, as well as the distribution of the ransomware Locky and other remote access trojans (RAT) to carry out extortion and data theft campaigns.

Since the beginning of the global pandemic, hospitals have been targeted by cyber groups trying to profit from the situation by targeting systems. According to the information, cybercriminals intended to carry out ransomware attacks against some public health institutions in Romania, using social engineering with the aim of stealing data, defacing websites and encrypting key systems.

This would be a malicious executable application belonging to the "Locky" or "BadRabbit" families, hidden in a malicious email impersonating other government institutions, using the COVID-19 threat as a hook. According to recent warnings from Microsoft , many of the attacks have used ATP-style techniques such as VPN or remote access vulnerability exploitation, as well as reconnaissance, privilege escalation and lateral movement. https://nationalcybersecuritynews.today/ransomware-computer- hacker-police-catch-suspected-hackers-planning-covid19-hospital-ransomware/

COVID-themed phishing templates

According to Proofpoint, COVID-themed attacks have increased, and one of the innovations detected in terms of the techniques used by the threat actors is the creation and the use of phishing website templates that impersonate governments, public institutions and non-governmental organizations (NGOs).

The use of templates would facilitate the creation of high-quality malicious web domains for COVID-themed phishing campaigns that focus on capturing the victim's credentials, while being attractive enough for cybercriminals: for example, templates that copy the look and feel of official sites such as the World Health Organization (WHO), the U.S. Internal Revenue Service (IRS), the Centers for Disease Control (CDC), the United Kingdom government, the Canadian government, and the French government.

This type of fraud has increased during March with a subsequent fall that may be due to a possible scam movement with other types of schemes. According to researchers, more than 300 different COVID campaigns have been detected since January. The aim of this type of fraudulent campaign is to steal credentials, and it involves both known and new groups of threat actors, mainly in English, Spanish, Italian, French and Portuguese, among others. https://www.proofpoint.com/us/blog/threat-insight/ready-ma- de-covid-19-themed-phishing-templates-copy-government-websites-worldwide www.s21sec.com | 902 020 222 | [email protected]