Geopolitical and Cybersecurity Risk Weekly Brief 20 April 2020

20 April 2020

COVID-19 Cybersecurity Update

The government of North Rhine-Westphalia (NRW), a province in western Germany, has reportedly lost between EUR31.5 million up to EUR100 million in emergency aid following a COVID-19 phishing campaign. The threat actors behind the campaign created fake copies of the official website used to distribute COVID-19 financial aid by the NRW Ministry of Economic Affairs and used them to collect the details of local residents. This data was then used to file requests for government aid on behalf of the victims with the funds wired to an account controlled by the cybercriminals.

A recent malware campaign linked to @SideWinder, an Indian state-sponsored APT, is using the coronavirus as a lure in spam emails targeting the Pakistani military. The spam emails contained malicious documents that purport to present information on a deployment of the Pakistani army to assist with the coronavirus pandemic. The individuals targeted by this campaign are thought to be high-ranking military officials in the army, navy, and air force, as well as civil servants.

Researchers have uncovered a malware campaign pushing an EternalBlue downloader Trojan that is delivered via COVID-19-themed spam emails. The worm, dubbed BlueTea, arrives in spam typically entitled “The Truth of COVID-19”. This campaign has infected many well-known Chinese companies in sectors such as insurance, real estate, electronics, scientific research, universities, automotive, and a food production company, among others.

Malware that still targets EternalBlue is generally regarded as low risk for modern corporates. However, there are many parts of the world, such as China, where many organisations will have failed to update older Windows systems. As a result, the EternalBlue vulnerability is still able to be compromised by malware if systems are exposed to the public-facing internet. 

Zoom, Skype, and Video Conferencing Risks

Two 0days affecting the Zoom video conferencing software are being offered for sale on the darknet. The bugs affect Windows and macOS clients, according to three independent sources. While these sources have not seen the code for either of the vulnerabilities, they have reportedly been contacted by brokers offering the Windows 0day for USD500,000. This bug is a remote code execution issue which is, according to an industry expert, "perfect for industrial espionage."

It is unclear if these exploits have been used in the wild or if they are simply being offered for sale. Zoom stated that no “evidence substantiating these claims” had been found. 


Attacks and cybersecurity news

The state of New York has revealed an intrusion which occurred in January 2020. The specific agencies targeted in the intrusion include the New York State Police, the Department of Environmental Conservation and the Department of Civil Service. It is believed that the threat actors accessed the state’s network through an unpatched Citrix vulnerability (CVE-2019-19781). This bug was first disclosed in December 2019: a patch was made available on 20 January, though many organisations have not implemented it. Since its disclosure, threat actors ranging from state sponsored APTs to ransomware groups have all exploited this vulnerability.

The attack on San Francisco airport (SFO), reported on 11 April, has been attributed to Russian APT Dragonfly (EnergeticBear). The group stole Windows credentials for the affected systems and could, therefore, use them to further infiltrate the airport’s network to perform post-exploitation activities, such as exfiltrating valuable intellectual property or deploying ransomware. As a safety measure, SFO forced a reset of all network and email passwords on Monday, March 23, 2020.

Threat group GhostSquadHackers claimed responsibility for hacking and defacing the European Union Intellectual Property Office (EUIPO) website as part of a campaign to #FreeJulianAssange. The attack was reported on Facebook on 14 April. It is unclear why the EUIPO would have been targeted in this case. Assange is currently held in Belmarsh Prison, in the UK, and the European Union Intellectual Property Office would have nothing to do with his release. Consequently, it is more likely that the attack was opportunistic, rather than targeted.

Portuguese multinational energy company, Energias de Portugal (EDP), has fallen victim to a Ragnar Locker ransomware attack. According to reports, the company's systems have been encrypted and a 1,580 Bitcoin (around USD10.9 million) ransom is being demanded. EDP Group is the world's fourth-largest producer of wind energy and is one of the largest European producers of gas and electricity. The Ragnar Locker operators claim to have stolen over 10 TB of sensitive company files from EDP Group and are threatening to leak this data if the ransom is not paid - as is now usual in cases such as these.

Security researchers have uncovered several banking Trojan campaigns launched by a Brazilian threat group in Portugal and Brazil. Phishing and SMiShing waves are launched against thousands of victims enticing them to download a trojanised Android app. This malicious app steals the victims' banking credentials.

The Mediterranean Shipping Company (MSC) announced last week that both its website and customer portal had been taken offline. MSC closed the affected data centre and also took its central servers, located in its head office in Geneva, offline. The investigation into the MSC incident remains ongoing, and the use of malware has yet to be confirmed. However, it seems likely MCS’s decision to close its central servers was based on pre-emptively protecting critical network infrastructure.

An educational institution in Taiwan has been compromised. Several BiFrost backdoors in the institution's Tomcat web servers allowed the malware to exploit the GhostCat vulnerability that affects these servers. Attackers targeted vulnerable Tomcat web servers with a default open port and were publicly exposed as a result. The GhostCat vulnerability is a critical remote code execution (RCE) bug.

Tencent Security has discovered a threat group targeting Windows and Linux servers using automated scanning and brute force tools. The group has been active since April and appears to target networks based in China, predominantly within the Zhejiang, Jiangsu, and Guangdong provinces. The automated and relatively unsophisticated nature of the access tools indicates the priority for this threat group is to infect as many victims as possible. Based on this methodology and payloads used, a likely objective for this group is the creation of a botnet which can then be used to conduct DDoS attacks.

AnonymousItaly recently announced the launch of #OpRevengeGram, which focuses on exposing individuals involved with the creation and sharing of revenge porn. The group claims to have been inspired after the discovery of significant amounts of this material on Telegram. Members of the public are encouraged to report the names of Telegram groups where this material is shared. The group does not specify what form of action they will take once they possess this information.


Data breaches, fraud, and vulnerabilities

Data Breaches

Exploit[.]in forum member Xrenovi4 claims to be selling a large database containing corporate email addresses for some of the largest US companies including Verizon, Cisco, and Oracle. Given that this database includes multiple victims, it is possible it has been compiled largely from pre-existing leaks. However, users on Exploit[.]in are generally quick to identify any re-packaged leaks: this post had already attracted some positive attention which may be an indication of authenticity.

Bank_Security reported the sale of 117,000 personally identifiable records pertaining to executives of various US banks. Sensitive information, such as payment data or credentials, is absent from this set of records so it is possible that it could have been scraped from various sites. Cyjax analysts found a user on Raid Forums, barman3212, who appears to be the vendor of these records. The post is dated December 2019 and was leaked alongside a list of 35 million alleged US mobile numbers, and a suspected database of US doctors' PII and their clinics' information.

The data of 600 customers of the Group Caja Rural was leaked online. Group Caja Rural is one of the biggest banking groups in Spain. Data exposed in this breach comprises hashed passwords and customers' PII, such as username and password, full name, email and home address, telephone number, and nationality. The up-to-date data could be used in fraud with a high likelihood of success.

A malicious actor, dubbed CyberMath, is offering to sell a database stolen from tech company, Wappalyzer, for USD2,000. The company was forced to confirm the security breach after the thief began emailing Wappalyzer clients. 16,000 Wappalyzer customers' email addresses were taken in the incident.

Comparitech reported the exposure of 1.1 million records by SCUF Gaming, a gamepad and game peripherals manufacturer. The data was exposed for around two days prior to its discovery. However, the researchers found that threat actors had already found the database, leaving a ransom note demanding 0.3 Bitcoin for the data. 

Fraud

A long-running fraudulent online advertising campaign has been discovered and dubbed Operation ICEBUCKET. During this campaign, the ICEBUCKET group operated by abusing the Server-Side Ad Insertion (SSAI) technology to spoof smart TVs and earn profits from cost-per-impression adverts. At its peak in January, the researchers say the ICEBUCKET gang generated around 1.9 billion ad requests to SSAI servers per day. It was found that almost two-thirds of the CTV SSAI ad traffic in the month of January 2020 came from non-existing devices.

ESET uncovered a new SMiShing campaign pushing the Roaming Mantis (also known as MoqHao or FakeSpy) Android mobile banking Trojan. The scam masquerades as La Poste across France. Cyjax analysts also found that Royal Mail UK, US Postal Service, and Die Post in Germany, are all also impacted by this campaign. Parcel delivery and courier phishing campaigns are often leveraged in many types of cybercrime, it is a common social engineering method used by threat actors. Roaming Mantis attacks targeting mobile users have also included landing pages to target iOS devices in an attempt to lure victims into installing a malicious iOS mobile configuration.

RedDrip7 uncovered a number of fake VISA apps that have appeared in China, Vietnam, Malaysia and other countries. These are used to harvest payment data and personally identifiable information (PII). Researchers observed a mobile phishing campaign with malicious URLs leading to sites hosting the fake VISA apps’ APK files. The campaign began in late February 2020 and continues at the time of publishing.

Taiwanese fraud gangs have reportedly become a growing threat for both Chinese users and those in other countries in the region. Because of VISA's global reach, it is a recognisable front for phishing campaigns that can be leveraged around the world. The move towards mobile banking only broadens the threat landscape for potential victims. 

Vulnerabilities

Microsoft released its April 2020 Patch Tuesday security updates, with 113 patches in total. Three of these are being actively exploited in the wild and two were disclosed prior to Patch Tuesday. Oracle rolled out security patches for more than 20 of its products. The April 2020 release includes 397 fixes for vulnerabilities in 24 products: more than 60 of the bugs are rated critical severity.

Intel pushed its April 2020 Platform Update, addressing several security vulnerabilities. These range from high to medium severity and impact multiple software products, firmware, and platforms. Successful exploitation of these issues could trigger a DoS condition or escalation of privileges by unauthenticated, authenticated, or privileged users on unpatched systems.

Siemens released six new advisories as part of its April Patch Tuesday release. These included three surrounding the impact of the Segment Smack vulnerability on its products.

360 NetLab uncovered multiple 0day vulnerabilities in fibre routers that have been actively exploited by the Mootbot botnet. Chinese CERT has been alerted. The vendor, Netlink, however, has ignored the vulnerability report, stating that it will not be addressing this issue. At least nine router vendors are affected by these software bugs. This vulnerability will undoubtedly be incorporated into IoT botnets. 


APT Activity and Malware Campaigns

APT activity

RedDrip7 has published additional analysis of a Lazarus campaign, targeting South Korea, that was first identified at the beginning of April. Further malicious documents have been disclosed that target the Incheon Center for Disease Control (CDC). A formal security advisory was issued on 16 April by the US Departments of State, Treasury, and Homeland Security, together with the FBI, concerning the threat from North Korean threat actors to the international community, network defenders, and the public. Companies, particularly those in the banking and financial services sector, should regularly review, test, and update their cybersecurity protocols and practices, and report any suspicious cyber activities impacting their operations to relevant law enforcement authorities immediately.

Malware samples in spam emails with the subject ‘Payment Overdue’ have been linked to the financial cybercrime group, FIN7. The emails purport to be an invoice from a software company called Softcreativa. Cyjax analysts found that Softcreativa appears to be a front company, with social media accounts on Facebook, Instagram, and Twitter set up by the threat actors. These are likely to be used in phishing campaigns for credential harvesting and malware deployment.

Nearly 40 US government contractors with access to classified information, including those specialising in healthcare technology and the energy sector, have been targeted by a Chinese state-sponsored hacking group, known as ElectricPanda. The warning, in the form of a US Department of Defense (DoD) security advisory, comes at a time of heightened tension between the US and China over the rapid spread of the coronavirus.

Malware

Maze, Sodinokibi, Doppelpaymer and other ransomware-as-a-service operators continue to target organisations around the world, though primarily in the west. As is now standard in ransomware attacks, the threat actors steal as much data as possible from victims in order to increase their leverage in ransom negotiations with victims.

The Sodinokibi (REvil) ransomware group recently claimed to have infected and stolen data from two companies:

  • ASCENT Network – A US non-profit organisation which focuses on providing financial education and counselling services to those in need
  • Cincinnati Capital Corporation – A small US financial services company based in Cincinnati, focusing primarily on debt purchasing, private equity, as well as mergers and acquisitions
A new botnet malware, dubbed Mozi, is targeting IoT devices. Mozi appears to have first entered the scene in September 2019 but saw a significant increase in its scanning in December of that year. At the time of writing the botnet has almost 16,000 unique nodes. The vast majority of these (71%) are in China, with a further 10 per cent in both the USA and India, followed by various other countries. Botnets can be a serious issue for organisations for two reasons: either they are used to target companies with DDoS attacks; or they drain organisations' resources, hampering their ability to carry out their processes.

MalwareHunterTeam and Lukas Stefanko have uncovered a new Android SMS stealing Trojan targeting Santander bank customers in Spain. The malware, which appears to be still in development stages, forwards all of a victim's SMS messages in an attempt to bypass two-factor authentication (2FA) for banking applications.

A new variant of the AgentTesla malware, a notorious infostealer, can reportedly spread over WiFi via stolen credentials. The malware was being actively distributed in spam campaigns during March and April. It is possible that the threat actors will use stolen WiFi profiles to launch attacks in the future. By stealing a WiFi profile, AgentTesla can potentially infect multiple victims all connected to the same WLAN. This is particularly concerning due to the many free WiFi hotspots in public spaces, retail, and hospitality businesses, and elsewhere, which create a broad attack surface. 

Darknet

DDoS attacks continue to plague the darknet. In response, the admin of Dread recently announced a partnership with Empire to test a new DDoS mitigation system that appears to use a similar CAPTCHA system to the one already in place on Dread. Soon after this partnership was announced, however, the Dread admin revealed their DDOS mitigation system had been compromised. Although it has now been upgraded, this will likely only provide a temporary reprieve. The fact that platforms are now collaborating to mitigate this threat highlights the pervasiveness of DDoS attacks on the darknet.

The darknet vendor NeverPressedRX has been arrested by the FBI. NeverPressedRX was active on Empire market and sold a range of products including Xanax, oxycodone and hydrocodone. This vendor used Mailchimp to email advertisements to all previous customers, including undercover agents. It is believed Mailchimp then cooperated with the FBI in providing the vendor’s IP address, eventually leading to his arrest. This news has caused serious concern within the darknet community and may lead vendors to exercise additional caution regarding third party platforms.

Finally, the operators behind the Nemty RaaS have announced they will no longer be working with affiliates. It is currently unclear if the operators intend to continue to use Nemty as their own private ransomware, of if they intend to shut down entirely. Victims will now have just one week to pay the ransom, after which it will no longer be possible to decrypt their files. The developers behind Nemty have also been linked to the Nefilim ransomware, so they may continue to operate using this ransomware instead.

 

COVID-19 Geopolitical Threats and Impacts

Americas

The US Department of the Treasury has reached an agreement with major domestic airlines on a USD25 billion package for wage support during the coronavirus (COVID-19) pandemic. Ten US carriers are included in the deal, including American Airlines, United, Delta, and Southwest. US passenger and cargo carriers employ at least 750,000 people, and the funds, provided in the form of low-cost loans and direct grants, will help maintain many of these jobs. There is a high likelihood that passenger demand for US carriers will remain low in at least the one-month outlook. Companies partnering with US airlines should engage with stakeholders to ascertain the impact of the funding on staffing, operations and strategy.

The precipitous drop in passenger numbers – both domestically and internationally – has also triggered order cancellations for new aircraft. On 14 April, Boeing announced that 150 orders for its 737 MAX had been cancelled in March and the company had had its worst first-quarter production since 1984. The pandemic, however, has also prompted disruption at Boeing’s main rival, European-based Airbus, with a planned increase in production of its A220 jet being postponed by a year. Companies supplying or partnering with aircraft manufacturers should monitor updates and engage with stakeholders regarding the impact of reduced orders on operations and strategy.

More broadly, the inequitable economic impact of COVID-19 in the US is demonstrated by a recent class action lawsuit against delivery companies GrubHub, DoorDash, Postmates and Uber Eats. The defendants stand accused of exploiting their dominance in the food delivery market to impose fees which have led to higher restaurant prices. There is heightened public scrutiny of all companies providing delivery services: this includes potential probes and judicial cases into business activities. 

APAC

The World Bank (WB) has warned that the eight countries that comprise South Asia are set to record their worst economic growth performance in four decades during 2020 due to coronavirus pandemic. The forecast, contained in WB’s South Asia Economic Focus report, said the region is likely to grow at between 1.8 to 2.8 per cent this year, against a projection of 6.3 per cent pre-coronavirus. Why it matters: Economic hardship is often accompanied by political instability, and the impact of Covid-19 has already exposed inter-communal as well as class tensions across parts of the region. Companies operating throughout the region should assess the medium- to long-term impact that the present and ongoing period of potential political and social instability will have on their operations and staff.

The Indonesian government has warned that some four million Indonesians will fall into poverty and 5.2 million will lose their jobs as a result of the coronavirus pandemic: 2.8 million people are already unemployed. The country’s Finance Minister, Sri Mulyani Indrawati, has said economic growth in the country was at its lowest level since the 1998 financial crisis and long-time autocratic president Suharto’s removal from office sparked widespread violence. There have already been incidents in Jakarta of small groups seeking to encourage violent action in response to the economic impact of the pandemic, and more can be expected as the situation deteriorates. Foreign companies should be aware of the potential for widespread disorder in late May, when the Muslim fasting month of Ramadan ends, if the economic outlook has not improved.

Elsewhere, the Hong Kong Bar Association warned that a statement by Beijing’s representative office in the territory regarding local legal judgements could be considered as interference and damage Hong Kong’s role as a global financial centre. On Monday the Liaison Office, China’s de facto embassy in Hong Kong, openly welcomed an appeal court ruling that found the local administration’s invoking of colonial-era emergency regulations during serious unrest in October 2019 was within the territory’s constitution. Hong Kong’s comparative economic advantage and rationale is largely based on its adherence to British-based Common Law, and any dilution or diminution of its central role in commerce and finance would require many international and some local corporate entities to leave the territory in order to comply with their own legal charters and obligations. 

Europe

Lawmakers this week summoned UK-based firm Imagination Technologies to address questions amid concerns that its owners have made efforts to transfer sensitive technology to Chinese state-controlled entities. The chairman of the parliamentary Foreign Affairs Select Committee warned that Imagination Technologies’ products could be used to design ‘backdoors’ into critical digital infrastructure.

This underscores the increasing political scrutiny in Europe on companies in sensitive sectors, including defence and technology, over concerns that coronavirus (COVID-19) will make some of them vulnerable to foreign takeovers. Linked to this is the issue of sensitive technology transfer to companies connected to the Chinese government. Growing alarm around Imagination Technologies was prompted after a former chief executive revealed that China Reform was moving to appoint four directors on the UK firm’s board, effectively allowing it to take more direct control. This has also prompted the US government to launch a probe investigating any potential risks to intellectual property developed in the US.

Several carmakers in Central Europe have released plans to resume production at facilities which had temporarily shut down operations in the face of the ongoing coronavirus COVID-19 outbreak. Some automakers have used the temporary halts to put social distancing measures in place. Kia Motors and Hyundai, two South Korean carmakers, have resumed operations in Slovakia and the Czech Republic. While output is unlikely to reach pre-COVID-19 levels, moves to re-open car plants are a positive indicator for the resumption of business activity in the region.

Importantly, it highlights confidence in the approach taken by some countries such as the Czech Republic and Hungary both of which took stringent measures early in the crisis. This has helped keep the growth at low numbers. Companies supplying components to automakers with operations in the region should contact relevant clients regarding their plans to resume production and adjust strategic planning accordingly. 

MENA and Central Asia

The International Monetary Fund (IMF) released its annual World Economic Outlook on 14 April in which it forecasts widespread contraction across Middle Eastern and North African (MENA) economies in 2020. The organisation expects the region to contract by 3.3 per cent in 2020, compared to last year’s projected growth of 0.3 per cent. This would mark the biggest slump in four decades, surpassing the 2008-09 global financial crisis. It is also worse than the Fund’s forecast for the world economy, which is expected to contract by 3 per cent this year.

Iraqi President Barham Salih on 9 April designated Mustafa al-Kadhimi as prime minister at a ceremony at al-Salam presidential palace in Baghdad. On 11 April, Kadhimi met with government leaders in an effort to form a cabinet. Kadhimi, the head of Iraq’s National Intelligence Service (NIS) and a former journalist, is the third Iraqi prime minister asked to form a cabinet after Adel Abdul-Mahdi resigned in December 2019 due to anti-government protests and after only one year in office.

Kadhimi is not affiliated with any political party and appears to have widespread backing. Both Iran and the US have welcomed his appointment, raising hope that he will be able to form a government before the deadline of 9 May. Many protesters, however, have already denounced Kadhimi’s appointment as a continuation of the corruptions of the old order. As head of the NIS, Kadhimi is against the proliferation of militias. There is a realistic probability that rocket attacks could increase in frequency as militias demonstrate their opposition to Kadhimi’s candidacy.

The latest developments in the Yemeni civil war saw the Saudi-led coalition accuse the Iran-backed Houthi rebels of breaching a ceasefire 241 times in just five days, including the use of ballistic missiles and heavy weapons. Despite the alleged breaches, the coalition said both it and the Yemeni army are adhering to the ceasefire but that it reserves the right to ‘respond in self-defence cases on the frontlines.’ The ceasefire was implemented both in an attempt to combat the coronavirus outbreak, and to create ‘favourable conditions’ for a UN-supervised meeting between the Yemeni government, the Houthis and the coalition. There is a realistic probability that Riyadh is using the ceasefire as preparation to end its involvement in the war and the Saudis will likely try to prevent a return to large-scale fighting. Limited aerial assaults may be staged in response to particularly egregious events such as a Houthi cross-border attack.

Israeli Prime Minister, Benjamin Netanyahu, and his main rival, Benny Gantz, the leader of the Blue and White Party, missed a midnight deadline on 15 April to form a unity government. Netanyahu and Gantz released a joint statement saying they would continue negotiations later in the day but have now been given a three-week extension by President Reuven Rivlin, who is overseeing the talks. If these talks fail, there will be a general election by 4 August – the fourth in just over a year.  

Sub-Saharan Africa

On 13 April, the IMF announced USD500 million in grant-based debt-service relief to 25 low-income developing countries to help them finance their fight against COVID-19. The funds will be disbursed with immediate effect. Apart from Afghanistan, Nepal, Solomon Islands, Tajikistan, and Yemen, all receptors are in Sub-Saharan Africa. The IMF also announced that it had approved USD1 billion to Ghana and USD442 million to Senegal under its Rapid Credit Facility to help both countries deal with the severe fiscal balance that has resulted from the COVID-19 pandemic; in the case of Ghana, declining crude oil prices as a result of the oil price war between Saudi Arabia and Russia and the US have further exacerbated its capacity to generate revenue.

The COVID-19 pandemic is hitting highly indebted and resource-rich countries particularly hard, and the amounts given to Ghana and Senegal reflect the IMF’s serious debt-sustainability concerns. While the IMF moves will provide short-term respite for the receptors of the funds, they signal medium-term risks to fiscal stability and contract viability in multi-stakeholder projects which will be impacted by an overall contraction of local economies in the one- to two-year outlook.

Kenya’s flag carrier airline, Kenya Airways (popularly referred to as KQ), was recently forced to ground some of its cargo flights due to a shortage of staff, many of whom are on sick leave amid the COVID-19 pandemic. This deals another blow to the airline, which has been in financial difficulty over the past year. KQ’s problems with staffing were also highlighted during this timeframe by a series of strike threats by pilots over work obligations and duties, as well as other labour-related issues. Businesses reliant on imports from Kenya should contact their local partner or service provider to seek clarity about the likely impact of the staff shortages. Supply-chain disruptions, specifically of fresh vegetables and flowers, are probable within the European Union, a key export market for Kenyan produce. 


Powered by Cyjax Ltd and A2 Global Risk Ltd.