Summary Key Considerations

June 4, 2020, 16:00 UTC (12:00 p.m. ET), v.10.1

SUMMARY The worldwide COVID-19 outbreak, which the World Health Organization (WHO) declared a pandemic on March 11, 2020, continues to present global business with cybersecurity challenges, including opportunistic phishing campaigns, discontinuity of information security operations and long-term financial constraints. Companies in all industries should plan for these challenges to persist for months and to have long-term effects.

KEY CONSIDERATIONS ▌ Plan to execute months-long business continuity plans (BCP), including information security monitoring and response, while operating under quarantine conditions. ▌ The pandemic has created social engineering opportunities, including phishing campaigns. Phishing awareness is key, as cyberespionage and cybercriminal groups will take advantage of this condition while it remains active. ▌ BCPs, travel restrictions and remote work policies challenge enterprise monitoring, especially for companies that have not previously exercised BCPs. Companies should advise work-from-home employees on home router and Internet of Things (IoT) protection and virtual private network (VPN) best practices. ▌ The pandemic’s economic and operational impact, which will create financial and budget challenges for companies’ information security operations in the mid-to-long-term will pressure information security operations to maintain or increase coverage under tighter budgetary constraints. Companies will need advice on how to stratify, prioritize and outsource information security operations, and manage infrastructure and operational maintenance and growth.

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 1 ANALYSIS URLs that link to malware downloads that typically exploit older, more-reliable vulnerabilities across Microsoft Word, Oracle COVID-19 INTRODUCES Java, and Adobe Reader. ALBACORE is CYBERTHREAT OPPORTUNITIES reportedly associated with the CMStar malware variant observed in targeted attacks against the EXPLOITATION OF WORK-FROM-HOME Belarus and Mongolian governments in the last POLICIES several years. To slow down infection rates and protect their ▌ ROHU (a.k.a. Transparent Tribe, ProjectM and workforces, companies worldwide have begun APT36), a threat group reportedly operating initiating work-from-home (WFH) policies. These from Pakistan, has a history of diplomatic and conditions shift information security focus from political targets in the United States and India. enterprise infrastructure to cloud and virtualized This group reportedly produced a macro-based infrastructure. WFH employees will rely on home Wi- malicious Microsoft Word document spoofed to Fi routers and VPN connections to company be a health advisory for COVID-19 from the infrastructure, and misconfigurations risk the Indian government. This malicious document leakage and theft of sensitive company information. drops Crimson RAT, a reported favorite of To help protect themselves from WFH ROHU. vulnerabilities, companies should: ▌ SNAKEMACKEREL (a.k.a. Sofacy, APT28 and ▌ Ensure employees are fully cognizant of Fancy Bear), is a threat group reportedly of company information protection procedures, Russian origin. SNAKEMACKEREL operations including those regarding hard drives and file continue to be some of the most far-reaching encryption in storage and in transit. and sophisticated cyberespionage and ▌ Brief employees on home network best intelligence campaigns to date. Actors practices, including the use of non-default reportedly associated with the group sent router and IoT passwords, SSID broadcast hiding malicious documents, purporting to be the and the configuration of trusted DNS providers. latest news on COVID-19, with an embedded C# backdoor Trojan to Ukrainian targets. ▌ Ensure WFH employees understand how to configure and connect to company VPN ▌ STICKLEBACK (a.k.a. Kimsuky and Stolen providers and avoid split-tunneling. Pencil), reportedly of North Korean origin, focuses its computer network intrusion ▌ Plan fallback measures for phone-based and off- net communications and work, as many VPN operations against government and non-profit providers may encounter scaling issues as large (e.g., think tank) organizations located in the numbers of users join. United States and parts of East Asia, particularly South Korea. This threat actor group used ▌ Ensure the computers and devices WFH COVID-19 as a lure to send documents with the employees use are updated with the most Baby Shark malware to its intended victims. current system and application versions. ▌ POND LOACH (a.k.a. OceanLotus and APT 32), CYBERTHREAT ACTORS AND GROUPS reportedly an APT group operating in Vietnam, EXPLOITING COVID-19 CONCERNS attacked the Chinese health department and agencies of Wuhan municipality using COVID-19- Threat actors will exploit unsecured conditions and themed phishing lures, according to a Chinese numerous phishing campaigns, and potential mobile information security report published on March device vectors have already emerged, with these 16. The POND LOACH group has been targeting taking advantage of public concern and confusion Chinese energy-related industries, maritime about COVID-19 to use the pandemic as a lure. agencies, marine construction, shipping Researchers have attributed some campaigns to companies and research institutes. named groups while they have not been able to do so for others; some such actors and campaigns ▌ LUCIFERSHARK (a.k.a. MUSTANG PANDA), include: reportedly operating from China, uses phishing to deliver weaponized Microsoft Office ▌ ALBACORE (a.k.a. APT15 and Ke3Chang), documents. The group deploys PlugLoadDLL, reportedly an advanced persistent threat (APT) VMS Stager, and Cobalt Strike malware and group operating from China, is known to take traditionally targets non-governmental advantage of well-known geopolitical events in organizations and government agencies in its social network campaigns. This group’s social Mongolia and Southeast Asia. engineering campaigns usually leverage malware attachments or malicious, embedded

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 2 ▌ CANDLEFISH (a.k.a. Patchwork and motivated and espionage operations, according SideWinder), reportedly operating from India, to iDefense observations. The group uses an allegedly targeted health organizations in arsenal of tools during its operations, including Wuhan with COVID-19 phishing lures and a backdoor codenamed SYSCON (a.k.a. triggered a Chinese patriotic hacktivist SANNY). The group reportedly distributed retaliation. This group also reportedly targeted spear-phishing documents referencing COVID- Pakistan with a phishing attack using 19, specifically referencing the use of face information regarding an alleged local Pakistani masks and increases in cybercrime during the Army deployment to help combat COVID-19. pandemic, to government targets in South Korea. These documents were the initial step in ▌ WINTERFLOUNDER (a.k.a. Gamaredon), an infection chain that installed SYSCON to reportedly operating from Russia, allegedly enable espionage operations targeted the Ukrainian government using (hxxps://s.tencent[.]com/research/report/969.h COVID-19 as a lure and impersonating a tml). Ukrainian journalist named Sashko Shevchenko. ▌ Several COVID-19-themed phishing campaigns ▌ ARCHERFISH (a.k.a. APT27 and Emissary Panda), have targeted populations in the United States, reportedly operating from China the United Kingdom, Italy, Germany and Japan. (https://www.secureworks.com/research/a- Most of these campaigns have used common peek-into-bronze-unions-toolbox), purportedly cybercrime malware, such as keyloggers, used a .LNK file masquerading as a PDF file to information stealers and banking Trojans, infect victims with embedded malicious content including Formbook, Lokibot, Ostap, TrickBot, using the COVID-19 pandemic as a lure AZORult and Emotet. Malicious actors have used (https://marcoramilli.com/2020/03/19/is-apt27- some of these tools to steal credentials. These abusing-covid-19-to-attack-people/?utm). campaigns may impersonate official COVID-19 information providers such as the US Centers for ▌ SNIPEFISH (a.k.a. DarkHotel), is reportedly Disease Control (CDC) and local experts. behind an attack using a zero-day vulnerability in the Sangfor SSL VPN servers on Chinese ▌ After 4-million Iranians installed it, Google government agencies in China and those removed an application to test and track operating in other countries infections of COVID-19 from Google Play; the (http://blogs.360.cn/post/APT_Darkhotel_attack Iranian government created the app, with the s_during_coronavirus_pandemic.html). country’s Health Ministry then persuading SNIPEFISH activity dates to at least 2007 and is citizens to use it. Concerns were raised, as the likely responsible for thousands of successful developer of the app has connections with apps compromises around the globe. Analysts have that in the past allegedly secretly collected user previously documented the group’s use of zero- data (https://www.zdnet.com/article/spying- day vulnerabilities in many campaigns. These concerns-raised-over-irans-official-covid-19- particular zero-day attacks appear related to the detection-app/). COVID-19 outbreak. VPNs serve as essential ▌ Since January, parties have registered 4,000- tools at the current time, with more people in 6,000 COVID-19-related domains globally to many countries working from home. support a wide array of malicious activity, Syrian Electronic Army (a.k.a. SEA) is a including credential harvesting, carding fraud prominent Arab hacktivist group that reportedly and malware installation. COVID-19 domains are operates out of multiple cells both within Syria reportedly 50 percent more likely to be and in neighboring countries. A group with an fraudulent than are other domains. IP address in the same block as the SEA ▌ Criminal actors on Russian underground forums reportedly used COVID-19 as lures to get users are soliciting people with Italian-language skills, to install mobile applications targeting Arabic- suggesting a future increase in Italian-language language users; these malicious apps had phishing and mass spam campaigns; iDefense names such as “Covid19,” “Telegram Covid_19,” has observed some using the TrickBot malware. “Android Telegram” and “Threema Arabic,” These solicitations have also targeted French- among others and Portuguese-speaking audiences. The (https://securityaffairs.co/wordpress/101754/m malware campaign masquerading as a alware/sea-targets-android.html). coronavirus map, which Reason Cyber Security Inc. discusses on its blog is an example of ▌ NEEDLEFISH (a.k.a. Lazarus, Bluenoroff, Hidden Cobra and APT38), a threat group reportedly malicious domains that steal credentials operating out of North Korea (https://blog.reasonsecurity.com/2020/03/09/c (https://attack.mitre.org/groups/G0082/), is ovid-19-info-stealer-the-map-of-threats-threat- believed to have conducted both financially analysis-report/).

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 3 ▌ iDefense observed reporting to local police and ▌ Actors who are presumably criminal in nature news outlets of COVID-19-related extortion have sent hundreds of communications to attempts in Denmark, Sweden, Portugal and the direct consumers to a fraudulent UK website US. On average, these extortion attempts seek with the logo of the UK tax agency, Her US$2,000-4,000 paid in bitcoins. Perpetrators Majesty’s Revenue and Customs (HMRC). The typically send an e-mail stating that unless the website prompts users to provide their bank target pays a certain amount in bitcoins, the information to participate in a new (fake) tax perpetrator will ensure the victim becomes refund program related to the COVID-19 infected with COVID-19. Many of the targets are outbreak. Once submitted, the malicious actors elderly, which indicates the threat actors behind behind this site are able to use the input this targeting possibly conducted some form of information to carry out credit card fraud and open-source intelligence before carrying out identity theft their attack. iDefense assesses with high (https://www.ft.com/content/334ac60d-1f86- confidence that the majority of these extortion 473f-a5dc-92b6f2d8bc56). attempts are scams with no actual threats According to information that cybersecurity behind them. ▌ and compliance solutions company Onapsis ▌ Beginning on March 18, 2020, as news began provided directly to iDefense, WFH policies, circulating about the likelihood that the US which organizations enacted to diminish the would begin issuing stimulus checks to spread of COVID-19, have significantly Americans, iDefense analysts observed increased those organizations’ risks from discussions beginning on underground forums Internet-accessible applications. For example, about how to exploit this. Several false- Onapsis observed a 35 percent increase in the document sellers subsequently saw an number of Internet-accessible Oracle E- increased demand for fake US documents. Business Suite Applications during the January- iDefense analysts assess with moderate April 2020 period. Furthermore, Onapsis confidence that some actors, especially US- observed a 5-10 percent average monthly domestic threat actors, will attempt to obtain increase in the number of general business fraudulent checks now that the CARES Act has applications that vendors have made Internet- become law. The trend will possibly increase the accessible since March 2020. Similarly, Onapsis value of US personally identifiable information observed a 44 percent increase in vulnerable, (PII) and may lead to the circulation of an Internet-accessible SAP portals as organizations increased number of false documents. relax security controls to enable continued access to internal applications. Finally, Onapsis iDefense has observed document sellers ▌ research shows the COVID-19 pandemic has specifically mentioning the COVID-19 outbreak coincided with the disclosure of an in reference to the obtaining of false unprecedented number of SAP and Oracle documents, such as passports, driver’s licenses, vulnerabilities, with SAP releasing 11 notable birth certificates and Social Security numbers “HotNews” security reports and Oracle for job requirements or to combat travel releasing information about a record 399 restrictions. vulnerabilities in April ▌ iDefense continues to see daily phishing (https://www.oracle.com/security- campaigns leveraging the COVID-19 theme, with alerts/cpuapr2020.html). most such campaigns delivering common ▌ Google’s recent Threat Analysis Group update cybercrime malware, such as keyloggers, (https://blog.google/threat-analysis- information stealers, banking Trojans and group/updates-about-government-backed- a previously unknown backdoor dubbed hacking-and-disinformation) reports that “hack- BlackWater. iDefense also for-hire” units have been conducting phishing noticed new campaigns targeting additional activity distributing lure documents from Gmail locations such as Russian- and Spanish-speaking accounts masquerading as the WHO. These countries, along with India as the situation with groups, most of which Google claims are based COVID-19 worsens worldwide. in India, have targeted organizations in the ▌ A fake Android mobile app called “Coronavirus financial services provider, consulting, and Finder” offers to show users infected people healthcare provider industries in the United around them for 0.75 euros (US$0.82). This app States, Slovenia, Canada, India, Bahrain, requests and steals users’ bank information and Cyprus, and the United Kingdom. then infects users with the GINP banking Trojan (https://www.kaspersky.es/blog/ginp-trojan- coronavirus-finder/22193/).

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 4 COVID-19-RELATED DISCUSSIONS IN ▌ Fireburn, a fraudster in a Russian-speaking CYBERCRIME UNDERGROUND forum, showed some compassion in their While many threat actors are eager to take comment on the threat actors offering fake advantage of the global pandemic for monetary COVID-19 maps leading to malware infections: “I gain, some voices within cybercrime forums have decided to stay clear of this [targeting using expressed opposite opinions, refusing COVID-19 themed attacks]. That’s not like to use COVID-19 themes in cyberattacks: whacking $500 of PayPal or stealing PornHub accounts. At first I thought it’ll ▌ Frenchy, a vendor of a malicious Microsoft Excel be great with all the hype, but then I realized it’s macro has urged buyers to exploit COVID-19- a tragedy and not just some mindless panic. I themed cover stories to get better results from suggest everyone to stop exploiting this malware installations. This actor has built and is unfortunate event. I will also ask my customers selling a malicious macro builder, offering to switch from COVID-19 landing pages to discounts on this product on the Exploit forum, others.“ where Frenchy claims actors can use the product to “exploit Corona virus wave to get ▌ A threat actor running an online market selling better results [sic].” iDefense sometimes high-capacity mailing server capabilities is observes product or service discounts in offering a 20 percent discount promotion code, response to the emergence of a new threat “COVID-2019,” in light of the situation, and asks vector, with threat actors making up the money fellow threat actors to stay home. lost due to reduced unit prices by the sheer ▌ Turnchoks, a fraudster in a Russian-language volume of sales such discounts elicit. It would forum, expressed interest in obtaining COVID- therefore seem that Frenchy’s business is 19-themed phishing lures for their own use. increasing. ▌ madmobile, in response to popular demand, has ▌ iDefense analysts found a significant increase in offered the sale of two false COVID-19-themed the sale of the popular Android banking Trojan landing pages for the actor’s Android inject “Cerberus” on criminal underground forums, service. madmobile offers injects as part of their including XSS, Exploit and Club2crd. Notably, own Trojan or for others to deploy via other the premier seller of the malware, the well- Trojans. madmobile’s landing pages are well established threat actor on the XSS and Exploit crafted and therefore may cause victims to click forums who uses the name “Android,” noted “I on malicious links, making such pages especially have sold more this week than the last 4 threatening since they can deploy via multiple months” and claimed that “this week our bot banking Trojans that actors are currently using was installed on 950,000 devices worldwide.” to target major mobile banking apps. Moreover, iDefense analysts assess with moderate according to data madmobile provided between confidence that the increased demand and sale January 23 and April 19, 2020, the actor has of Cerberus is due to the COVID-19 outbreak. seen an explosive increase in the sale of their Actor Android shares this sentiment, claiming services, including 55,000 installations in April “Due to the current threat of coronavirus to the alone. world, mobile traffic has grown on the network” as the reason for the increased demand. ▌ Mattcox is a threat actor who has participated iDefense notes this situation has created a in a Dark Web market known for attacking significant threat to any Android user operating Canadian entities. iDefense observed this actor one of the affected applications as well as to offering a COVID-19-themed phishing kit targeted organizations. As of March 31, 2020, targeting Canada Emergency Response Benefit Cerberus operates overlays for seven French (CERB), which provides income support for banking apps, seven US banking apps, one Canadian citizens whose incomes the pandemic Japanese banking app and 15 non-banking apps. has affected. The phishing lure, which Mattcox is selling for US$53, enables an attacker to set ▌ jokerhttp, a veteran threat actor who specializes up a fake CERB application form. The threat in creating custom phishing lures, has posted actor stated that the lure supports 16 different new COVID-19-themed phishing kits for sale in Canadian banks, and asks recipients for an the actor’s usual advertisement space within the extensive amount of PII, such as security closed-door cybercriminal forum Exploit. questions, Social Security numbers, birth dates, ▌ sweetMika7, a threat actor running bulletproof and more. hosting services, has offered seven days of ▌ makdos92 is a threat actor who has service for free to existing customers in light participated in a closed-access cybercrime of the COVID-19 situation. forum. iDefense observed this actor having posted a download link to a database

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 5 containing usernames and passwords for the ▌ Revoking and generating new VPN server website of the San Raffaele Hospital (HSR) keys and certificates. cluster in Italy. The database contained 2,125 To harden VPN servers, iDefense recommends: credentials to the hospital chain’s website, http://hsr.it, which allows access to patients’ PII ▌ Checking configurations to ensure no traffic and medical history. The Italian branch of the leaks in split-tunnel configurations. hacking group LulzSec originally tweeted a link to the data prior to makdos92’s posting. ▌ Only using strong TLS (1.2 or greater) for SSL VPN servers. COVID-19-RELATED INDICATORS ▌ Avoid using self-signed certificates. OF COMPROMISE (IOCS) ▌ Always using multi-factor authentication. Please see the IoC addendum ▌ Ensuring logging is enabled; include access, (Accenture_SITREPaddendum_IoCs_20200601_v12. configuration and netflow information. docx). ▌ Disabling any VPN management interfaces on VPN VULNERABILITIES external VPN interfaces. With increased use of VPNs, iDefense recommends ▌ Disabling VPN server services not required. organizations review their VPN security postures. ▌ Dropping connections from countries in which Employee remote access to company networks has no users connect. caused an increase in VPN traffic. To deal with the increase in monetary bandwidth costs, the VPN ▌ Analyzing logs and network traffic regularly to configuration that most organizations use most look for attack patterns and anomalous network often is a “split-tunnel” configuration. In this traffic. configuration, a VPN client will only connect a user ▌ Securing VPN Web applications by deploying a to an organization for the resources it needs from Web application firewall before it to inspect that organization and will connect the user directly incoming traffic for attack patterns. to the Internet for everything else accessible only through an Internet connection. This setup saves a ▌ Deploying an in-line distributed denial of service lot of bandwidth for organizations. Split-tunnel VPN (DDoS) solution to scrub network traffic before it configurations also lead to decreased monitoring reaches VPN servers, for mission-critical from an organization’s information security (infosec) networks. team, as infosec teams will only be able to see organization-bound traffic, with no visibility into SCALABILITY: PREPAREDNESS FOR direct Internet traffic from remote hosts. iDefense DDOS ATTACKS AND SURGE IN recommends reviewing VPN configurations to make DEMAND FOR CLOUD COMPUTING sure there are no unwitting DNS leaks of internal hostnames. Massive increases in bandwidth consumption puts most organizations at risk of DDoS attacks. Since 2018, a handful of VPN vulnerabilities Organizations that previously had over-provisioned have become issues due to publicly available proof- bandwidth to deal with potential DDoS attacks have of-concept exploits. This handful includes begun to use it for remote employees. This has led vulnerabilities in products from Citrix, Pulse Secure, to decreases in bandwidth available to defend Palo Alto Networks and Fortinet. Actors behind against DDoS attacks. With most of the workforce targeted attacks have also previously used some of telecommuting, DDoS attacks have strong potential the vulnerabilities in such attacks. iDefense actively to cause operational downtime issues for monitors new exploits related to VPN applications organizations. There are ways to protect against and appliances and recommends patching and DDoS attacks, but such techniques require some upgrading VPN applications to mitigate these advanced preparedness. An organization’s size may threats. To mitigate VPN vulnerabilities, iDefense determine its options for DDoS protections. For recommends: example, medium-sized organizations can use ▌ Applying patches to VPN servers. appliances that provide in-line protection by scrubbing attack traffic. Organizations that see ▌ Upgrading to the latest firmware and operating large-scale volumetric attacks would be better system. After updating firmware and before protected by scrubbing attack traffic at upstream reconnecting to an external network, iDefense providers but doing so requires such organizations recommends: to revise their routing configurations. Advanced ▌ Resetting VPN credentials. planning and preparedness to protect against DDoS attacks will make a huge difference.

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 6 Since the WHO declared COVID-19 a pandemic, data STATE-SPONSORED CYBERTHREAT center support teams have seen an increase in ACTIVITY RATE STEADY; demand, leading to data center memory shortages. PREDICTED TO AFFECT Organizations should plan to try to meet their cloud computing and data center resource needs and HEALTHCARE-RELATED budget accordingly. ORGANIZATIONS AND SERVICE GOVERNMENT REQUIREMENTS CYBERTHREAT ACTORS WILL TAKE FOR INFORMATION AND FULLEST POSSIBLE ADVANTAGE INFORMATION CONTROL OF RECENT HIGH-IMPACT After reviewing iDefense intelligence, open-source VULNERABILITIES and government reporting, iDefense analysts have detected no change in state-sponsored cyberthreat Crisis conditions create short-term opportunities for activity related to the COVID-19 outbreak as of cyberthreat actors. These actors are most likely to March 11, 2020. It should be noted that during the rely on recently announced vulnerabilities that 2009 H1N1 outbreak, there was no noticeable targeted organizations may not have had time to reduction in what was presumably state-sponsored fully patch. These will likely include the following cyberthreat activity. Expectations are military and high-severity vulnerabilities from the March 2020 intelligence units are following strict infection Microsoft Security Bulletin, which iDefense control measures, as cyberespionage is a critical recommends patching as quickly as possible: CVE- defense and economic development enabler for 2020-0684, CVE-2020-0768, CVE-2020-0807, CVE- certain affected governments. 2020-0811, CVE-2020-0812, CVE-2020-0816, CVE- 2020-0823, CVE-2020-0824, CVE-2020-0825, CVE- The effect of the pandemic on APT activity appears 2020-0826, CVE-2020-0827, CVE-2020-0828, CVE- mixed as of March 17, 2020. On the one hand, Israeli 2020-0829, CVE-2020-0830, CVE-2020-0831, CVE- media have noted a lull in regional activity 2020-0832, CVE-2020-0833, CVE-2020-0847, CVE- originating from Iran, which could extend to 2020-0848, CVE-2020-0850, CVE-2020-0851, CVE- cyberthreat activity. On the other hand, the virus 2020-0855, CVE-2020-0881, CVE-2020-0883, CVE- panic serves as merely the latest tool in ongoing 2020-0892 and CVE-2019-11510. attempts to spy on, discredit and weaken adversary governments. Additional groups, including those US GOVERNMENT WARNS OF TOP based in or operating from Vietnam, North Korea VULNERABILITIES and Russia, among others, are using virus fears as a lure in phishing campaigns targeting regional rivals. On May 12, 2020, the US Department of Homeland Security’s (DHS’) Cybersecurity and Infrastructure Despite this steady rate of state-sponsored Security Agency (CISA) issued an alert naming top cyberthreat activity, Healthcare providers, vaccine vulnerabilities that state, non-state and unattributed developers, and government health and executive cyberthreat actors routinely exploit. The top 10 agencies have been targets of cyberespionage and vulnerabilities in the 2016-2019 period were as ransomware. It is unclear whether the uptick in follows: CVE-2017-11882, CVE-2017-0199, CVE-2017- ransomware attacks is geopolitically motivated or 5638, CVE-2012-0158, CVE-2019-0604, CVE-2017- not. If disruptive, financially motivated activity, 0143, CVE-2018-4878, CVE-2017-8759, CVE-2015- including ransomware activity, continues to 1641 and CVE-2018-7600. Additionally, in 2020, increase, prime targets (as in past activity) would cyberthreat actors were targeting unpatched VPN include hospital groups, pharmaceutical labs, and vulnerabilities CVE-2019-19781 and CVE-2019-11510, crisis response agencies at the state and local CISA wrote. The CISA alert also noted that levels. The healthcare and public health sectors, as cyberthreat actors were taking advantage of WFH well as other critical infrastructure sectors, remain arrangements to target poorly configured cloud attractive targets to adversaries and entities in those collaboration services such as Microsoft Office 365. industries should maintain heightened awareness. The CISA alert (https://www.us- Ransomware actors have taken advantage of the cert.gov/ncas/alerts/aa20-133a) suggested stress COVID-19 has had on medical organizations, mitigations for the noted vulnerabilities. likely seeking to extort higher ransoms. A Czechia hospital and an Illinois public health agency have each reported ransomware attacks related to COVID-19. The MailTo (Netwalker) malware the Illinois agency identified was recently used against an Australian logistics company, suggesting malicious actors are using the ransomware opportunistically rather than choosing medical targets (https://www.cyberscoop.com/czech- hospital-cyberattack-coronavirus/;

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 7 https://www.theregister.co.uk/2020/03/12/ransom Underground activity shows cybercriminals are ware_illinois_health/). planning to target relief payments in the United States and United Kingdom at a minimum Governments generally face pressure to obtain . reliable pandemic information and control public information to minimize panic. As a result, state- CYBERESPIONAGE CONTINUES, sponsored cyberthreat actors will likely ramp up DESPITE SOFTER RHETORIC; their efforts to gather controlled information from SOCIAL STRAIN PROMPTS other governments, and some may use authorities FURTHER INTERNET to crack down on public information dissemination RESTRICTIONS outlets domestically. Companies involved in healthcare and public services may find themselves In the week of April 1-7, 2020, the leaders of Russia in the crosshairs of these information-gathering and China have discussed cooperation in phone efforts, which will not likely threaten such calls with their US counterpart, signaling a softening operations, but which could endanger the reliability of their harsh rhetoric of the week before. As Russia of data that unauthorized parties access. Some and Iran win support from UN officials for the easing state-sponsored threat groups have launched of sanctions against them, these two countries may COVID-19-themed disinformation and influence refrain from identifiable aggression in cyberspace in operations to achieve political or economic goals. the hopes of attaining this long-held goal through Please refer to iDefense’s “2019 Cyber Threatscape diplomatic means. Report” addressing “disinfodemics,” which are Nevertheless, ongoing cyberespionage campaigns epidemic-related disinformation threats. have not abated during the pandemic, as new reports indicate. Jorge Mieres, a threat intelligence CONTINUED ESPIONAGE, researcher for MalwareIntelligence in Argentina, has DISRUPTION AND purportedly observed a COVID-19-themed phishing DISINFORMATION AMONG campaign by WINTERFLOUNDER, reportedly STATES; CIVIL LIBERTY AND operating out of Russia, appearing to target PRIVACY CONCERNS; Ukrainian entities (https://twitter.com/jorgemieres/status/124405242 CYBERSECURITY COMMUNITY 8812701698). FIGHTS BACK As restricted movement pressures food supply As governments ramp up measures to contain chains, disruptions could prove fertile ground for COVID-19, they find it challenging to collect Internet-based fraud. As an example, some accurate data, stave off criminal opportunists, customers seeking home food delivery have provide credible messages to their own populations, received malicious messages claiming there was a cooperate with other governments in tackling the problem with their orders, requiring those recipients virus, and balance public health with privacy and to provide their addresses and credit card civil liberties concerns, noted below: information to resolve the supposed issue. ▌ Cyberespionage may increase as governments race to develop vaccines and tests, and as some CONCERNS OVER CYBERCRIME, attempt to lessen their dependence on foreign- ESPIONAGE, AND DESTRUCTIVE made pharmaceuticals. ACTIVITY REMAIN ▌ Cybercriminals are targeting critical responders. COVID-19-related economic, social and political Media have reported Netwalker ransomware disruptions bring new risks, as cybercrime and attempts against a hospital and a government disease surveillance evolve in response. health agency, and persistent phishing International tensions continue. Evidence, such as campaigns against the WHO. Cybercriminal the following, continues to emerge about underground activity suggests more cyberespionage and possible state-sponsored ransomware attempts in the future. destructive activity: ▌ Criminal activity is prompting swift public and private responses. Cybersecurity researchers ▌ Cybercrime Risks for Government Programs have taken the initiative to share evidence and Evolving: Governments, in collaboration with analyses of COVID-19-related cyberthreat the private sector, are quickly building and activity and have even threatened retaliation scaling relief programs, thereby creating a new against anyone targeting hospitals. The US attack vector, especially for attacking small- Department of Justice has begun cracking down and medium-sized businesses. on COVID-19 fraud, as the prospect of US government relief payments has spawned the trade of stolen US identity documents.

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 8 ▌ Cybercrime Risks for Collaboration Tools linked Shamoon wiper, although the FBI did not Evolving: The massive increase in telework, see destructive code in Kwampirs and did not telehealth services and online classes is accuse Iran of being behind the malware. stressing some platforms and, in some cases, highlighting security and privacy concerns. DISINFORMATION, US AND UK WARNING, AND RISKS TO ▌ Espionage Continues: After an apparent lull in GOVERNMENT RELIEF EFFORTS Iranian cyberthreat activity, Reuters reported a phishing campaign targeting WHO employees’ DISINFORMATION SPAWNS PHYSICAL personal e-mail accounts, starting on March 2 ATTACKS and involving malicious websites with prior links to Iranian state-sponsored groups Extremists have used social media, drawing upon (https://www.reuters.com/article/us-health- the COVID-19 pandemic, to threaten and urge coronavirus-cyber-iran-exclusi/exclusive- violence against Muslims in India hackers-linked-to-iran-target-who-staff-emails- (https://www.reuters.com/article/us-health- during-coronavirus-sources-idUSKBN21K1RC). It coronavirus-india-paranoia-ins/vitriol-and-violence- is unclear whether attackers successfully a-coronavirus-death-exposes-paranoia-in-india- compromised any of the WHO e-mail accounts idUSKBN21G076). Additionally, extremist groups are (https://www.reuters.com/article/us-health- leveraging social media to scapegoat target Jews, coronavirus-cyber-iran-exclusi/exclusive- blacks, immigrants, politicians and law enforcement hackers-linked-to-iran-target-who-staff-emails- (https://www.vox.com/identities/2020/3/25/211906 during-coronavirus-sources-idUSKBN21K1RC). 55/trump-coronavirus-racist-asian-americans; https://www.washingtonpost.com/national- ▌ Possible Case of Border Gateway Protocol security/far-right-wing-and-radical-islamist-groups- (BGP) Hijacking: On April 1, 2020, Internet are-exploiting-coronavirus- traffic for over 200 networks, affecting Google, turmoil/2020/04/10/0ae0494e-79c7-11ea-9bee- Amazon, Facebook and others, was reportedly c5bf9d2e3288_story.html). redirected through Rostelecom, Russia's state- owned telecommunications provider In the United Kingdom, false social media reports (https://www.zdnet.com/article/russian-telco- blaming the COVID-19 on 5G communications hijacks-internet-traffic-for-google-aws- technology spawned attacks on 5G telephone masts cloudflare-and-others/). This could have merely and telecommunications company engineers. Well- been accidental; if it were intentional, it would organized networks of inauthentic social media have allowed Rostelecom to intercept traffic or accounts—in a pattern reminiscent of that of state- spoof legitimate IP addresses for spamming. backed disinformation campaigns—initiated the campaign, according to Marc Owen Jones, a ▌ Disruptive Attacks Continue with Possible researcher at Hamad bin Khalifa University in Qatar. State Influence in Targeting: Microsoft has Since at least 2016, media sources like the website warned of ongoing human-operated InfoWars and Russian state broadcaster RT have ransomware attacks with malware such as spread conspiracy theories linking 5G technology Sodinokibi (a.k.a. REvil). Ransomware actors with various health risks, according to Bloomberg such as GandCrab (thought to control (https://www.bloomberg.com/news/articles/2020- Sodinokibi) have paid deference to Russian 04-09/covid-19-link-to-5g-technology-fueled-by- government strategic priorities coordinated-effort). (https://www.accenture.com/_acnmedia/pdf- 107/accenture-security-cyber.pdf); state JOINT US-UK ALERT OF COVID-19- priorities could influence cybercriminals in their THEMED ATTACKS choices of targets and timing of ransomware The US Department of Homeland Security’s attacks during the COVID-19 pandemic Cybersecurity and Infrastructure Security Agency (https://dragos.com/resource/spyware-stealer- (CISA) and the UK’s National Cyber Security Centre locker-wiper-lockergoga-revisited/). (NCSC) issued a joint alert on April 8, summarizing criminal and state-sponsored cyberthreat activity ▌ Potential Iranian Threat: A February 2020 FBI alert (warned of a campaign using the Kwampirs exploiting the COVID-19 crisis. This alert included remote access Trojan summaries of phishing and short message service (https://isc.sans.edu/diaryimages/Kwampirs_PIN (SMS)-phishing campaigns that facilitate credential _20200330-001.pdf). Actors used Kwampirs theft or the deployment of malware such as the against healthcare organizations and health- Agent Tesla keylogger, the TrickBot malware, sector industrial control systems (ICS) as well as remote access Trojans or ransomware. Cyberthreat supply chains affecting numerous sectors. This actors have also exploited the increased use of malware has some code overlap with the Iran- remote collaboration tools, with such actors launching phishing websites that spoof teleworking

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 9 platforms or launching attacks on unsecured covid-19-global-orgs-see-a-148-spike-in- Remote Desktop Protocol (RDP) endpoints ransomware-attacks-finance-industry-heavily- (https://www.us-cert.gov/ncas/alerts/aa20-099a). targeted/) while Google saw 18 million COVID-19- The US-UK joint alert brings together lists of IoCs related malware and phishing e-mails daily over the and public resources, many of which iDefense has week prior to reporting such on April 16 already published as part of this SITREP series. (https://cloud.google.com/blog/products/identity- security/protecting-against-cyber-threats-during- GOVERNMENT EFFORTS FACE covid-19-and-beyond). Additionally, an FBI official CYBERSECURITY RISKS DUE TO COVID- said cybercrime reports to the FBI Internet Crime 19 Complaint Center (IC3) website had risen from 1,000 daily a few months ago to 3,000-4,000 daily, Cybersecurity researchers in various countries have with these complaints including a “good number” pointed out vulnerabilities in government relief of COVID-19-related scams program websites (https://news.yahoo.com/fbi-tracking-explosion-in- (https://krebsonsecurity.com/2020/04/new-irs- cybercrime-and-espionage-related-to-the- site-could-make-it-easy-for-thieves-to-intercept- coronavirus-pandemic-200555069.html). some-stimulus-payments/) and privacy risks in government response programs COVID-19. (https://twitter.com/safe_runet/status/1249050167 CYBERESPIONAGE CONTINUES 690645514; Several cases indicate cyberespionage cases https://www.theguardian.com/world/2020/apr/12/ related to COVID-19 have continued during this uk-government-using-confidential-patient-data-in- reporting period: coronavirus-response). ▌ A new campaign deploying the remote access Even sites without clear vulnerabilities have faced Trojan PoetRAT targeted the government and issues. For example, on April 10, Dutch police utilities sectors in Azerbaijan, specifically arrested a 19-year-old for suspected DDoS attacks targeting energy companies’ supervisory on Dutch government sites that provide information control and data acquisition (SCADA) systems; on COVID-19 the threat actors behind this likely sought (https://securityaffairs.co/wordpress/101502/cyber credentials from Azerbaijan government -crime/ddos-for-hire-shutdown.html). In another officials, Cisco Talos reported case, users applying for benefits on an Italian social (https://blog.talosintelligence.com/2020/04/po security website faced service delays and etrat-covid-19-lures.html). sometimes saw other people’s personal data displayed on their screens during what initially ▌ The FBI reported an uptick in “reconnaissance appeared to be a cyberattack but which may have activity, and some intrusions” by unnamed been due to overloading of the site state-backed hackers the FBI believes were (https://www.reuters.com/article/us-health- likely seeking to steal intellectual property. coronavirus-italy-cybercrime/italys-social-security- These actors hacked into the systems of website-hit-by-hacker-attack-idUSKBN21J5U1). organizations engaged in biopharmaceutical research related to COVID-19. The COVID-19 pandemic has affected government (https://www.reuters.com/article/health- plans in other ways as well, such as the North coronavirus-cyber/update-1-foreign-state- American Electric Reliability Corp.’s (NERC’s) hackers-target-u-s-coronavirus-treatment- request for the US Federal Energy Regulatory research-fbi-official-idUSL1N2C41ZG). Commission (FERC) to delay enforcement of supply-chain cybersecurity standards due to ▌ As nations and companies plan to improve COVID-19-pandemic-related work disruptions resilience by reshaping supply chains, industrial (https://www.eenews.net/stories/1062807343). espionage could increase (https://asia.nikkei.com/Editor-s-Picks/China- COVID-19 CYBERCRIME AND up-close/Xi-fears-Japan-led-manufacturing- POLITICAL TARGETING MOUNT AS exodus-from-China). COUNTRIES TRADE BLAME DISRUPTION AND EXTORTION AGAINST HEALTHCARE ORGANIZATIONS COVID-19-THEMED CYBERCRIME CONTINUES STATISTICS SOAR The group behind the Maze ransomware leaked There has been a clear increase in cybercrime sample documents from patient payment services exploiting the COVID-19 environment. Software company Healthcare Fiscal Management Inc. and cybersecurity company VMWare Carbon Black (https://medium.com/@cyble/maze-ransomware- observed a 148 percent increase in ransomware breached-healthcare-fiscal-management-inc- (https://www.carbonblack.com/2020/04/15/amid- e4dd0ac8c5d3). On April 16, Czechia cybersecurity

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 10 officials warned of an unnamed "serious, advanced coronavirus/). Conversely, a “geopolitical Twitter adversary" that had conducted spear phishing in war” has broken out between users in Thailand, advance of a “large-scale campaign of serious Taiwan, Hong Kong and the Philippines and those cyberattacks” on Czechia government- and health- in China, following a tweet claiming the virus may related systems. The officials listed samples of have originated in a Chinese laboratory malicious COVID-19-themed Windows documents (https://www.scmp.com/news/asia/southeast- that dropped malware capable of corrupting asia/article/3079895/model-weeraya-sukarams- computers’ master boot records coronavirus-comment-sparks-twitter). (https://www.reuters.com/article/uk-czech- cyber/czechs-warn-of-imminent-large-scale- SECURITY ISSUES BEDEVIL cyberattacks-on-hospitals-idUKKBN21Z00N). Czech GOVERNMENT EFFORTS AS COVID-19 officials did not name the adversary, but Czechia PANDEMIC HEIGHTENS PRIOR and Russia have been involved in a diplomatic COMPROMISE RISKS tensions in recent weeks New reports have detailed fraud involving COVID- (https://news.expats.cz/weekly-czech- 19-related websites, including various governments’ news/russian-extremists-attack-czech-embassy-in- websites set up for relief payments: moscow-over-pragues-removal-of-konev-statue/). In the following days, several hospitals and the ▌ The FBI reported on April 22 that its IC3 had Prague airport reportedly blocked cyberattacks received over 3,600 complaints of COVID-19- (https://www.reuters.com/article/us-czech- related scams as of April 21. These scams cyber/prague-airport-says-thwarted-several-cyber- included websites advertising fake vaccines, attacks-hospitals-also-targeted-idUSKBN2200GW). fake cures and fraudulent charity drives, as well as compromised legitimate websites; some of ANTI-SURVEILLANCE ACTIVISM these domains harvested users’ banking DAMAGES TELECOMMUNICATIONS credentials or dropped malware. In addition, the SYSTEMS AGAIN FBI observed spoofed versions of domains the US Internal Revenue Service (IRS) set up to On April 14, the self-styled German anarchist receive applications for COVID-19-related collective Volcano Group claimed responsibility for stimulus payments. The FBI noted that private a fire that damaged underground communications sector cybersecurity researchers have helped cables in Berlin that morning. An English-language enormously by identifying malicious domains version of the Volcano Group statement, on an and referring them to law enforcement for anarchist blog post under the motto “Shut Down investigation. Cooperation between law the Power / Sabotage Digital Infrastructure,” said enforcement, researchers and Internet domain the group had damaged cables used by the registrars has led to the shutdown of hundreds Heinrich Hertz Institute, co-developers of an app of fraudulent domains tracing users’ contact with those known to have (https://www.justice.gov/opa/pr/department- COVID-19 infections, doing so in protest against the justice-announces-disruption-hundreds-online- “repressive regulation of the population.” The covid-19-related-scams). statement said the fire had also disrupted communications of nearby “climate killer” car ▌ US relief efforts have prompted a rise in identity dealerships theft. The New York Times reported that calls to (https://anarchistsworldwide.noblogs.org/post/202 the Identity Theft Resource center, a San Diego 0/04/15/berlin-germany-arson-sabotage-attack- nonprofit organization, soared 850 percent against-developers-of-the-new-corona-app/; between March 2019 and March 2020. Threat https://www.morgenpost.de/berlin/polizeibericht/ actors can use stolen personal data, which they article228909289/Linke-Gruppe-bekennt-sich-zu- can purchase easily online, to apply for other Brandstiftung.html). Eventually, the German people’s unemployment and stimulus checks government abandoned the Hertz Institute’s (https://www.nytimes.com/2020/04/22/technol contact tracing app in favor of a different app ogy/stimulus-checks-hackers-coronavirus.html). (https://www.reuters.com/article/us-health- coronavirus-europe-tech-idUSKCN22807J). ▌ On April 21, the UK’s National Cyber Security Centre announced it had taken down 2,000 TRADING BLAME ONLINE COVID-19-related scams, including 471 fake online shops, and that it had launched a Political messaging efforts continue. Social media suspicious e-mail reporting service and a cyber- analysis company Graphika reported on a awareness education campaign campaign by a pro-Iranian news aggregator with (https://www.ncsc.gov.uk/news/public-urged- the goal of amplifying content blaming the US for to-flag-covid-19-threats-new-campaign). the pandemic’s spread and praising China’s work in limiting the disease (https://graphika.com/reports/irans-iuvm-turns-to-

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 11 ▌ A US Department of Defense cybersecurity got-hacked-data-for-sale-on-dark-web-new- program reported learning from a defense report/#4b9b08ee5dec). contractor that “a U.S. government Central ▌ Previously reported cyberespionage activity by Authentication Service login service was using a Vietnam-based group POND LOACH against web service as an open redirect (proxy) to Wuhan health authorities and other Chinese commit COVID-19 phishing” government targets included the METALJACK (https://www.defense.gov/Explore/Inside- remote-access malware, according to a new DOD/Blog/Article/2156128/cyber-criminals-dont- report (https://www.reuters.com/article/us- brake-for-pandemics). health-coronavirus-cyber-vietnam- ▌ Through its own research, iDefense analysts idUSKCN2241C8). identified a phishing website exploiting the ▌ An April 22 report from Google’s Threat Analysis COVID-19 pandemic as lure to collect login Group detailed activity using spoofed versions credentials for customers of major Canadian of the WHO login page, likely designed to banks. The actor-created main page presents harvest login information from health what looks like the website for the Canada organizations. Referring to previously reported Emergency Response Benefit, a government activity appearing to originate from Iran, Google relief program. assessed that this “is consistent with” the threat Cybersecurity lapses in government pandemic relief group known as Charming Kitten, which and control measures have resulted in the leaking of iDefense tracks as SKATE. Google also identified personal information: similar activity from a South American actor known as Packrat, which iDefense tracks as ▌ The US Small Business Administration (SBA) RATFISH discovered on March 25 that its Economic Injury (https://blog.google/technology/safety- Disaster Loan (EIDL) loan application website security/threat-analysis-group/findings-covid- may have inadvertently disclosed applicants' 19-and-online-security-threats/). In the past, Social Security numbers, income amounts, RATFISH has reportedly carried out espionage names, addresses, and contact information to and disinformation campaigns as part of political other program applicants, according to a letter conflict in Latin America it sent to applicants. The SBA confirmed on April (https://citizenlab.ca/2015/12/packrat-report/). 21 to media outlet Politico that the breach affected 7,900 EIDL program applicants and that ▌ Google reported a slight decrease in the agency had relaunched the application government-backed phishing e-mail volumes in portal after taking it offline to resolve the March compared to January and February, with problem those phishing attacks possibly linked to (https://www.washingtonpost.com/business/20 quarantine-related staffing shortages. Google 20/04/21/sba-data-loan-small-business/; also reported having observed a government- https://subscriber.politicopro.com/employment backed campaign targeting US government -immigration/whiteboard/2020/04/sba-data- employees’ personal e-mail accounts breach-compromises-business-owners-data- (https://blog.google/technology/safety- 3979643). security/threat-analysis-group/findings-covid- 19-and-online-security-threats/). In one of the A blockchain-based COVID-19 tracking app the ▌ government-backed campaigns Google did Netherlands government reviewed accidentally observe, threat actors targeted US government leaked personal data when it published its code employees’ personal e-mail accounts with for public comment, according to RTL Nieuws phishing messages. In this campaign, phishing (https://www.rtlnieuws.nl/tech/artikel/5095321/ messages included links for free meals and covid19-alert-datalek-crypto-digibyte- coupons in response to COVID-19, or for coronavirus-ministerie-app). purported online delivery services; the linked Cybercrime and cyberespionage involving health pages harvested users’ Google account and public service organizations continues: credentials. ▌ iDefense and other researchers have observed The COVID-19 crisis highlights risks associated with threat group or actor the0time (Zero Time) previous infections: offering for sale on multiple underground forums the source code and experimental data ▌ As a reminder of the continuing ransomware for artificial intelligence (AI)-assisted COVID-19 threat to hospitals, an April 16 alert from the detection technology that a prominent Chinese DHS’ CISA noted that the Pulse Secure VPN AI company developed vulnerability tracked by CVE-2019-11510 (https://www.forbes.com/sites/zakdoffman/202 continues to be a threat, even after patching it. 0/04/26/chinese-covid-19-detection-firm-just- Based on incidents at US government and commercial entities, CISA observed threat

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 12 actors obtaining plaintext Active Directory CONTINUED FRAUD AND credentials after exploiting the CVE-2019-11510 ESPIONAGE AGAINST vulnerability to gain access; threat actors can GOVERNMENT RELIEF EFFORTS reuse those credentials even after organizations patch the VPN vulnerability if those AND RESEARCH, RANSOMWARE organizations fail to change the stolen AGAINST HOSPITALS, AND credentials. One threat actor made 30 PRIVACY FLAWS IN DISEASE unsuccessful attempts to connect to a target SURVEILLANCE TOOLS environment using compromised credentials, then gave up and attempted to sell the stolen LATE MAY STATISTICS SHOW credentials; CISA had previously observed this CONTINUED HIGH LEVELS OF COVID-19- persistent threat actor successfully dropping RELATED CYBERTHREAT ACTIVITY ransomware on hospitals and US government Accenture’s Cyber Investigation and Forensics targets (https://www.us- Response (CIFR) incident response team has seen cert.gov/ncas/alerts/aa20-107a). an approximately 25 percent increase in incidents, ▌ On April 21, 2020, cybersecurity organization year over year, for the period of January-May 2020 Team Cymru and Finnish company Arctic compared to January-May 2019. Accenture does Security reported that research focusing on nine not have data to prove the year-over-year uptick is European countries and the United States found strictly related to COVID-19; the majority of the a surprising number of compromised corporate increase reflected incidents related to ransomware, systems "lying dormant" behind corporate account takeover (ATO), and business e-mail firewalls. After WFH policies went into effect and compromise (BEC) attacks. However, the timing of employees began to use VPNs to connect to these events suggests a link with the pandemic, as corporate networks from outside their most of the activity occurred in March and April organizations' secure peripheries, the previously 2020. compromised corporate networks made In a May 29 briefing, US Administration officials malicious connections that the organizations' told a US Congressional subcommittee that the firewalls would have normally blocked FBI’s IC3 had received almost 10,000 complaints (https://www.businesswire.com/news/home/20 about COVID-19-related scams since the start of 200421005295/en/Team-Cymru-Arctic- the outbreak, nearly tripling the figure reported on Security-Reveal-Number-Compromised; April 21. They added that CISA had blocked 7,000 https://arcticsecurity.com/news/2020/04/17/nu malicious Internet domains used to collect mber-of-potentially-compromised- sensitive information organizations-more-than-doubles-since- (https://oversight.house.gov/news/press- january/). releases/agencies-brief-national-security- Cyberthreat operations form a small subset of subcommittee-on-cybersecurity-risks-during). widespread fraud and self-dealing by numerous Israel-based cybersecurity firm Check Point actors taking advantage of government spending on reported on May 12 that in the past three weeks it pandemic-related equipment and services had observed COVID-19-related cyberthreat activity worldwide; media reports indicate threat actors are rise 30 percent to an average of 192,000 incidents carrying out identity theft, kickbacks, price-gouging per week and no-bid contracts in many countries (https://blog.checkpoint.com/2020/05/12/coronav (https://www.msn.com/en-us/news/world/a- irus-cyber-attacks-update-beware-of-the-phish/). pandemic-of-corruption-dollar40-masks- questionable-contracts-rice-stealing-bureaucrats- Data on COVID-19-related phishing trends are mar-coronavirus-response/ar- mixed. US-based cybersecurity company Lastline BB13dWG0?li=BBnb7Kz). Brokers who formerly dealt reported on May 20 that it had seen a massive in cryptocurrency, financial technology and medical number of newly registered COVID-19-themed marijuana have flooded LinkedIn with fraudulent domains, but noted that only a fraction of those offers to procure scarce protective equipment from have been used in phishing attempts China (https://www.wired.com/story/linkedin- (https://www.lastline.com/labsblog/phishing-in- coronavirus-medical-equipment-ppe-shortage/; the-time-of-pandemic/). And, US cyberthreat https://www.chinalawblog.com/2020/04/new-and- research firm CrowdStrike reported on May 26 that improved-china-ppe-scams.html). it had detected fewer COVID-19-themed malicious lure documents over the previous three weeks, instead seeing spam e-mails that only briefly refer to the pandemic (https://www.crowdstrike.com/blog/covid-19- cyber-threats/).

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 13 GOVERNMENT ALERTS WARN OF US medical center. Malicious attachments used CONTINUED FRAUD AGAINST COVID-19 Excel 4.0 macros to deliver the NetSupport RELIEF PROGRAMS AND GOVERNMENT- Manager remote administration tool, a legitimate SUPPORTED RESEARCH tool attackers use for malicious purposes In mid-May the US Secret Service circulated a (https://twitter.com/MsftSecIntel/status/12625048 memo to field offices, describing a Nigerian 64694726656). identity theft ring that stole PII and used the data in On May 19, 2020, a lure document referring to fraudulent applications for unemployment benefits pandemic-related changes in the US Family and in numerous states, according to cybersecurity Medical Leave Act (FMLA) delivered the commodity researcher Brian Krebs banking malware BokBot (a.k.a. IcedID) (https://krebsonsecurity.com/2020/05/u-s-secret- (https://www.crowdstrike.com/blog/covid-19- service-massive-fraud-against-state- cyber-threats/). unemployment-insurance-programs/). At least six US states warned residents who applied for the A spoofed version of a Russian government Pandemic Unemployment Assistance Program services website promised quarantine-related relief (PUA) and other unemployment programs that money but stole user data, according to Russian glitches in the PUA websites briefly leaked their Web developer Dmitriy Belyayev data to other applicants (https://twitter.com/CuamckuyKot/status/1258031 (https://www.nbcnews.com/tech/security/four- 345739104257). states-warn-unemployment-benefits-applicants- about-data-leaks-n1212431; CYBERESPIONAGE TARGETS https://www.scmagazine.com/home/security- GOVERNMENT PERSONNEL AND LABS news/kentucky-is-6th-state-to-disclose-leak-of- CONDUCTING COVID 19-RELATED unemployment-claims-amid-covid-19/). Accenture RESEARCH has found no evidence of actors selling this data or The UK NCSC warned on May 3 that foreign otherwise exploiting it. states—“experts” were attempting to steal vaccine and other COVID-19-related research data from Bank of America acknowledged that sensitive data British labs and universities. Such COVID-19-related from a small number of loan applicants under the intrusion attempts make up an increased US government SBA’s Paycheck Protection proportion of all cyberthreat activity; however, Program had been inadvertently exposed on a activity against the UK overall had not increased testing platform on April 22. The SBA reportedly re- during the pandemic secured the data within a day (https://www.theguardian.com/world/2020/may/0 (https://www.infosecurity- 3/hostile-states-trying-to-steal-coronavirus- magazine.com/news/data-breach-at-bank-of- research-says-uk-agency). america/). Also reported on April 22, PII linked to 7,900 businesses that applied for Economic Injury On May 5, the NCSC and the US CISA issued an Disaster Loans (EIDLs) may have been disclosed to update to their April 8 joint alert, warning of other applicants of the program espionage against pharmaceutical companies, (https://www.infosecurity-magazine.com/news/us- medical research organizations, and universities. covid19-relief-fund-leaks-data/). They reported observing state-linked threat actors scanning target organizations’ websites for At least nine supercomputer clusters throughout unpatched vulnerabilities and using password Germany, as well as in the United Kingdom and spraying to gain access to corporate e-mail Spain, stood idle in mid-May after apparent accounts (https://www.us- cryptocurrency mining malware spread through cert.gov/ncas/alerts/AA20126A). academic computing networks via stolen SSH credentials. Many of these organizations had According to Indian press reporting, the Indian recently announced they were working on Army warned personnel in late April to download combating the COVID-19 outbreak, according to the government’s COVID-19 contract tracing app media reports AarogyaSetu only from official sources, saying (https://www.zdnet.com/article/supercomputers- Pakistani intelligence operatives were distributing hacked-across-europe-to-mine-cryptocurrency). malicious, mimicked versions of the app (https://www.newindianexpress.com/nation/2020/ CRIMINAL SPOOFING OF GOVERNMENT apr/30/indian-army-issues-warning-as-pakistani- DOMAINS AND REPUTABLE MEDICAL spies-use-aarogyasetu-app-to-target-personnel- INSTITUTIONS CONTINUE 2137475.html). Other media reports attributed Microsoft documented a COVID-19-themed similar activity to cybercriminals campaign that started on or around May 12, and (https://timesofindia.indiatimes.com/city/bhubane featured e-mails that appeared to come from the swar/cops-sound-warning-on-fake-aarogya-setu- "Johns Hopkins Center," referring to the reputable app/articleshow/75585902.cms).

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 14 A malicious e-mail campaign in April targeting and how to prevent themselves from catching or Gilead, the drugmaker designing remdesvir, a spreading the virus. As a result, businesses should promising COVID-19 treatment, used the same focus resources on training, awareness and infrastructure as an e-mail campaign that targeted communication of these increased security risks. WHO personnel with malicious e-mails appearing Insiders fall into two main categories: malicious and to be from researchers and news organizations non-malicious, with the non-malicious category (https://www.reuters.com/article/us-healthcare- further divided into ignorant and complacent coronavirus-gilead-iran-ex/exclusive-iran-linked- insiders. Non-malicious insiders increase security hackers-recently-targeted-coronavirus-drugmaker- gilead-sources-idUSKBN22K2EV; risks in this threat category the most, though https://www.bloomberg.com/news/articles/2020- malicious insiders are still likely to take advantage of 05-07/hackers-target-who-by-posing-as-think-tank- the current environment surrounding COVID-19. broadcaster). The Iran-linked SKATE cyberthreat group appears to stand behind both campaigns. MALICIOUS INSIDERS iDefense also reported earlier on a likely SKATE- The COVID-19 pandemic is likely to increase linked campaign using spoofed versions of the opportunities for a premeditated malicious insider WHO login page. to take advantage of related situations. Such Ransomware attacks on hospitals continued as opportunities include: a lack of oversight, with WFH malware thought to be the Ekans (a.k.a. Snake) employees potentially feeling emboldened by ransomware disrupted global IT operations of working remotely and therefore more inclined to German-based hospital provider Fresenius on May take risks; business processes that have become 6. Researcher Brian Krebs cited an unnamed reader less rigorous due to new, temporary working source as saying Fresenius had previously paid a practices; and easier data egress pathways. US$1.5 million ransom Coupled with potential motivating factors such as (https://krebsonsecurity.com/2020/05/europes- financial insecurity and job losses, these situations largest-private-hospital-operator-fresenius-hit-by- make it likely malicious insiders will be more ransomware/). inclined to commit fraud or steal intellectual property for future job opportunities or to sell. To PRIVACY CONCERNS REMAIN AS protect against threats from malicious insiders, SURVEILLANCE TOOLS EVOLVE businesses can: Reports of privacy lapses in COVID-19 tracking and ▌ Ensure key business processes or those that mobility apps continued, with one example being involve financial transactions are sufficiently reports of excessive government surveillance of rigorous and, if possible, monitor these patients in Pakistan processes. (https://www.codastory.com/authoritarian- ▌ Revoke privileges belonging to furloughed or tech/pakistan-coronavirus-surveillance/). The laid off staff as soon as possible (if appropriate Care19 COVID_19 app US states North Dakota and in a furloughed situation). South Dakota have been using sends location data to an outside company, according to The ▌ Monitor for large or critical data transfers and Washington Post downloads, if possible, and/or increase (https://www.washingtonpost.com/technology/20 monitoring of certain individuals of concern. 20/05/21/care19-dakota-privacy- coronavirus/?outputType=amp), while a flawed NON-MALICIOUS, IGNORANT INSIDERS contact tracing app in Qatar exposed personal Ignorant insiders are more inclined to fall victim to details of over a million people, according to the increasing numbers of phishing e-mails and Amnesty International texts related to COVID-19 than are insiders educated (https://www.amnesty.org/en/latest/news/2020/0 on such threats. COVID-19 has resulted in a huge 5/qatar-covid19-contact-tracing-app-security- increase in these types of e-mails and texts, which flaw/). threat actors spoof to appear be from public bodies, demanding immediate actions. With COVID-19 INSIDER THREATS increasing people’s stress levels and related There appears to have been a significant increase in government orders making people potentially more risk from insider threats, especially from non- compliant, incoming COVID-19-related phishing e- malicious insiders, due to COVID-19 and the mails and texts may help create a recipe for resultant increase in WFH initiatives. This increased disaster. It is also easy for criminals to impersonate threat is mainly due to the volume of related senior leaders from businesses and demand actions phishing campaigns and people being more from colleagues, such as making emergency vulnerable to social engineering efforts than normal, payments etc., and malicious actors could take as many are anxious to learn more about COVID-19 advantage of COVID-19 themes to do so.

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 15 Other ways cybercriminals may take advantage of systems resulting from employee access to COVID-19 relate to slow networks and IT issues. those systems. Cybercriminals could take advantage of such Identity governance (defining access, situations, purport to be from IT support teams and ▌ provisioning and deprovisioning access, offer “help” with technical issues; in such scenarios, implementing segregation of duties and actors could use staff-granted system access to recertification controls), as it reduces attack their advantage. surfaces and limits opportunities for errors and Criminals and state actors are likely to capitalize on malicious actions. the uncertainty, increased stress levels, and new ▌ Privileged access management for high-impact working situations and processes to increase the access points; this may include increased volume and sophistication of social engineering security measures, such as rotating passwords, attacks. To protect against threats from non- recording sessions, and deploying analytics malicious, ignorant insiders, businesses can: around privileged access. This solution can help ▌ Prioritize security training, employee awareness reduce the risk of privilege escalation from an and communication of security risks, particularly actor attacking via remote access routes. with respect to COVID-19. ▌ Organization-controlled phishing simulations ▌ Run security scans for spoofed e-mails and texts and tests to improve employees’ security from both inside and outside of a given network behavior concerning phishing attacks. and provide updates on results of these scans to All the above also enable logging and monitoring of staff as soon as possible for awareness. activities pertaining to system access. ▌ Ensure people have a clear line of reporting for security incidents and a mechanism to get help EXPERT, EXPERIENCED ADVICE and advice if they need it. WILL BE CRITICAL NON-MALICIOUS, COMPLACENT To minimize targeting opportunities, companies INSIDERS should direct employees to the most-reliable local information source on COVID-19 and instruct Risks involving complacent insiders include finding employees not to fall prey to unfamiliar e-mails unsecured workarounds employees use to deal with purporting to inform them about the pandemic; WFH challenges (such as downloading unsecured three reliable US sources are online meeting apps and using unofficial document- https://hub.jhu.edu/novel-coronavirus-information/, sharing sites). These types of insiders are not likely https://www.cisa.gov/sites/default/files/publication to report security concerns, as they are unlikely to s/20_0306_cisa_insights_risk_management_for_nove care to find out how to report such concerns; they l_coronavirus_0.pdf and https://coronavirus.gov. may also start using unsecured devices for work purposes out of convenience, with both choices having the potential to create security issues. To protect against threats from non-malicious, complacent insiders, businesses can: ▌ Design and communicate easy “how to” guides for common WFH situations. ▌ Clearly communicate “dos and don’ts” related to work and define disciplinary actions that will follow non-compliance with such rules. ▌ Properly enable security information and event management (SIEM) solutions to detect unauthorized downloading and use of software and sites.

ADDITIONAL MITIGATIONS Additional ways to protect against insider threats include using: ▌ Risk-based and/or multi-factor authentication (MFA) advanced access management systems to reduce the risk of compromise of company

This report is classified TLP:WHITE (https://first.org/tlp/). Information contained within this report has been approved for public release and may be distributed without restriction, subject to copyright controls. Page 16 RECOMMENDATIONS ▌ Ensure employees are fully cognizant of company information protection procedures, including those regarding hard drives and file encryption in storage and in transit. ▌ Brief employees on home network best practices, including the use of non-default router and IoT passwords, SSID broadcast hiding and the configuration of trusted DNS providers. ▌ Ensure WFH employees understand how to configure and connect to company VPN providers and avoid split-tunneling. ▌ Plan fallback measures for phone-based and off-net communications and work, as many VPN providers may encounter scaling issues as large numbers of users join. ▌ Ensure the computers and devices work- from-home employees use are updated with the most current system and application versions.

LEGAL NOTICE & DISCLAIMER: © 2020 Accenture. All rights reserved. Accenture, the Accenture logo, iDefense and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from iDefense. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this alert is based on information gathered and understood at the time of its creation. It is subject to change. ACCENTURE PROVIDES THE INFORMATION ON AN “AS-IS” BASIS WITHOUT REPRESENTATION OR WARRANTY AND ACCEPTS NO LIABILITY FOR ANY ACTION OR FAILURE TO ACT TAKEN IN RESPONSE TO THE INFORMATION CONTAINED OR REFERENCED IN THIS ALERT.