Geopolitical and Cybersecurity Risk Weekly Brief 4 May 2020

4 may 2020

COVID-19 Cybersecurity Update

Since January, there has been a boom in threat actors capitalising on the COVID-19 pandemic – ZScaler reported a 30,000 per cent increase in phishing, malicious websites, and malware in this period. As the pandemic has continued, however, and lockdowns have affected cybercriminals as well as law-abiding citizens, there has been a levelling off and the beginnings of a decline in coronavirus-related malicious activity. March saw a 38 per cent decrease compared to January levels of coronavirus attacks. The numbers for April are reduced compared to previous months, with only 19 per cent of January's infection figures and 27 per cent compared to those for February.

Fake VPN software, COVID-themed mobile malware and advanced-fee scams were some of the most frequently detected threats. Malicious actors in Moscow have been abusing the coronavirus pandemic to sell counterfeit digital travel passes to locals through fake sites. Since 15 April, Moscovites have had to request digital permits featuring QR codes to travel around the city. Elsewhere, Facebook was used to target customers of specific financial institutions offering giveaways of thousands of dollars in ‘money-flipping’ attacks. Other finance-based email attacks detected by researchers have included fake utility bills to push malware or steal credentials.

The Trump administration has reportedly attributed numerous attempted coronavirus research thefts to the Chinese government and the People's Liberation Army (PLA). US officials have seen increased cyberattacks by nation-states and criminal groups against the country's government agencies and the medical institutions leading the pandemic response. Hospitals, research laboratories, healthcare providers and pharmaceutical companies have all been hit, officials say, alongside the Department of Health and Human Services.

Scammers continue to distribute fake World Health Organization (WHO) emails, asking for charitable donations. Other national and international health bodies used as lures in malicious emails include the Centers for Disease Prevention and Control (CDC) and the NHS.

A new wave of coronavirus-themed phishing attacks impersonates well-known delivery services such as FedEx, UPS, and DHL. Most of these emails claim that packages are being held due to government lockdowns. The recipient is asked to open either an attachment or a link for instructions on picking up their package. The DHL emails deliver the Bsymem Trojan; the UPS and FedEx emails deliver Remcos RAT.

This is just one of multiple malware being distributed through malspam. A new Android mobile ransomware, SauronLocker, is masquerading as a COVID-19 Tracker and Spotify Premium; the Grandoreiro banking Trojan has been hiding in videos on fake websites which claim to provide vital information about the coronavirus; Greece and Pakistan were both targeted in malware distribution campaigns.

Microsoft has warned that threat-actors are taking advantage of the increased traffic to film piracy sites to deliver malicious payloads. The threat actors behind this campaign are targeting victims from Spain and South American countries.

New PPE-themed phishing attacks have been linked to the North Korean APT, Konni (also known as Hermit). Malicious Word documents attached to the phishing emails appear to offer advice about PPE and the coronavirus. However, when the embedded macros are enabled, an infostealing Trojan is downloaded. This is thought to be part of Konni's long-running cyber-espionage campaign against the South Korean government.

A threat actor known as THE0TIME has gained access to Huiying Medical Technology’s COVID-19 detection software. The malicious actor claims to have gained access to the source code, as well as data gathered from testing. He is selling access to the stolen data for 4 Bitcoin ($30,772). This includes information about users, the technology, the source code, and experiment information.

 

Attacks and cybersecurity news

APT actors have attacked supervisory control and data acquisition (SCADA) systems in the Israeli water sector, according to an alert from Israel’s National Cyber Directorate. Attacks on 24 and 25 April targeted SCADA systems at wastewater treatment plants, pumping stations and sewage facilities across the country. Representatives of Israel’s Water Authority stated that the attacks had not caused any operational damage. Organisations have been advised to immediately report incidents that result in disruption.

An Azerbaijani news site, Timetv.live, has been targeted in a DDoS attack believed to have been perpetrated by the Sandman threat group. Sandman may be working on behalf of the Azerbaijan government in the Ministry of Interior. Only Azerbaijani targets seem to have been attacked. If this is a state-sponsored threat group, there will likely be more attacks on activists, dissidents, and independent Azeri media.

London-based Zaha Hadid Architects (ZHA) has said it will not pay a ransom after cyber-attackers threatened to leak company data following a hack last week. The self-described ‘Light’ group claimed responsibility for the incident, which was first reported to authorities on 21 April: the group has requested an undisclosed ransom payment. Stolen files include employee details and contracts, financial documents, and payroll information. ZHA believes no project data has been stolen but said that staff were temporarily prevented from using the server.

Outlaw recently returned from a period of inactivity with upgraded TTPs and more Linux malware, known as Shellbot. The group continues to use the malware to target organisations worldwide with a new IRC server and new Monero pools – an attempt at evading law enforcement. Outlaw is a financially motivated cybercriminal group, largely thought to be based in Eastern Europe. The researchers noted that the C&C IRC server is down at the time of writing and that Outlaw will soon deploy a new IRC server to continue its operations.

According to researchers, approximately one-third of malware now targets mobile endpoints. This type of malware is also becoming much more sophisticated and efficient. Most recently, mobile malware Black Rose Lucy was found to have added a ransomware component to its offering.

Elsewhere, security researchers revealed a new Android remote access tool (RAT) which masquerades as an “Instagram Pro+” app and appears to come from Iran. It is worth noting there is no premium version of Instagram; all apps making this claim are fake and potentially malicious. Another new Android mobile malware, dubbed EventBot, is compromising consumer and business financial data. The majority of financial institutions targeted are in Italy, the UK, Germany, the US and France.  Over 200 mobile financial and cryptocurrency applications are affected, including PayPal, Barclays, CapitalOne UK, HSBC UK, PaySafecard, Santander UK, and Coinbase.

Islamic State (IS)-affiliated hacker group Caliphate Cyber Shield (CCS), which sits under the terrorist network’s umbrella hacker division known as United Cyber Caliphate (UCC), claimed it had defaced a series of South Africa-hosted websites as part of its so-called ‘cyber war’ against non-believers in the country. The 21-minute video message also said the CCS had taken control of the websites in support of Islamic State in Central Africa Province (ISCAP). Although we were unable to independently verify that the websites had been taken down or defaced, the statement is credible.

SANS Institute has released new samples of the Agent Tesla infostealer. The malware has been delivered in a long-running spam campaign using TNT deliveries as a lure. This was not due to a compromised TNT account, but reportedly due to the firm’s website having an incorrectly set Sender Policy Framework (SPF) record. This meant that threat actors could use any server to send an email from the domain, tnt[.]com.

Threat actors recently compromised a small number of accounts at the Estonian email provider, Mail.ee. The attack vector appears to have been a 0day vulnerability for the attack. The attack took place in 2019 and targeted high-profile individuals. Since then, the 0day which was used to gain access to the system has been patched.

Abuse.ch has uncovered several spam emails, containing the NanoCore RAT, that are being sent from email addresses belonging to Austrian police (bmi.gv.at) and the Turkish government (egm.gov.tr). The senders masquerade as the General Directorate of Security (Turkey) and the Bundespolizei (Austria). These attacks appear to be part of a cyber-espionage campaign. However, the use of the commodity malware, NanoCore, suggests they may have been perpetrated by opportunistic cybercriminals. 

 

Data breaches, fraud, and vulnerabilities

Data Breaches

Cyjax analysts identified a threat actor called kemp selling access to a database of 25 million records for healthcare practitioners in the USA and Puerto Rico stolen from MedProID.com. This database could be used as a launching point for various types of credential harvesting or malware distribution attacks, as well as business email compromise (BEC) operations. The extensiveness of the database may even be of interest to APTs.

It has been reported that Warwick University was recently compromised but chose not to inform the affected individuals and organisations. This is believed to have been just one of multiple data breaches that have taken place at the university and occurred after a member of staff installed remote-viewing software. The key issue with this breach was a lack of any incident response and the member of staff in charge having insufficient expertise in data protection.

The personal details of 15 million users of Tokopedia, the largest online store in Indonesia, have been published on a hacking forum. The data, which comprises only a small fraction of the site’s entire database that was stolen, was apparently accessed in March this year. The hacker said he was posting the sample so that others could help crack user passwords. Data at risk includes personal information including names, email addresses, dates of birth, phone numbers, and last login details. The full database, comprising 91 million records, has been advertised for sale on a darknet marketplace.  

Fraud

A new phishing campaign has been discovered using cloned imagery from automated Microsoft Teams notifications. These attacks attempt to harvest recipients' Microsoft Office 365 credentials. The campaign can bypass some Secure Email Gateways (SEGs), making it even more convincing. It also uses several URL redirects to hide the action URL hosting the phishing page. The final phishing page is a cloned O365 login site, which steals the user's credentials. Multiple versions of these attacks have been found, with around 15,000 to 50,000 people having received notifications so far.

Unit42 has published a report on the rise of 'formjacking' and how it has become one of the fastest-growing cybercriminal techniques. Many large websites have been compromised using this technique, such as British Airways, Ticketmaster, Delta, Newegg and Topps.com Sports Collectibles.  Formjacking attacks typically use malicious JavaScript that has been injected into the checkout page of an e-commerce site. In the case of British Airways, millions of users’ financial information was stolen, demonstrating how effective this tactic is for threat actors.  

Vulnerabilities

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • A vulnerability has been discovered affecting 28 popular antivirus products that can cause system crashes or render the computer unusable. Products include antivirus for Windows, iOS, and Linux from Avast, BitDefender, F-Secure, FireEye, Kaspersky, and McAfee
  • Adobe Illustrator, Bridge, and Magento products. 17 flaws were fixed in Adobe Bridge, five in Illustrator, and 13 in Magento.
  • The WordPress Real-Time Find and Replace plugin. Abuse of this flaw can result in attackers creating rogue admin accounts.
  • Hitachi Ops Center Analyzer viewpoint for Linux variants
  • Cosminexus for Linux variants
  • Threat actors have been actively targeting WordPress sites running the OneTone theme. They are targeting a vulnerability that allows them to read and write site cookies and create backdoor admin accounts.
  • ZeroScience Lab has publicly disclosed a vulnerability that affected Furukawa Electric products. Successful exploitation can lead to unauthenticated remote code execution. The researchers also published their proof-of-concept (PoC) exploit.
  • AusCERT has issued a security advisory for multiple vulnerabilities disclosed in Hitachi products. If successfully exploited it could lead to remote code execution, denial of service, and access of confidential information.
  • 14 vulnerabilities have been discovered, five of which are in ImageIO, the image parsing API used by Apple’s iOS and macOS operating systems. The other nine are found in the OpenEXR library, a high dynamic range (HDR) image file format created for computer imaging applications. The researchers believe that it could be possible to exploit some of the flaws for remote code execution without user interaction.
  • GitLab has patched a serious remote code execution (RCE) vulnerability in its platform. The flaw stemmed from the UploadsRewriter function, which is used to copy files.
  • Pulse Secure has issued a security advisory over a critical vulnerability that has been discovered in two of its products. Successful exploitation could allow a man-in-the-middle (MITM) attacker to perform a remote code execution (RCE) attack.

 

APT Activity and Malware Campaigns

APT activity

COVID-19-themed Hangul Word Processor (HWP) documents have been linked to a recent Lazarus spear-phishing campaign with strikingly low detection ratings from the main antivirus vendors. Most recently, the Korea Hydro & Nuclear Power company was targeted, along with aviation giant, Boeing. Other malicious HWP documents deployed by the North Korea-linked APT have been observed in campaigns against South Korean diplomatic institutions and the South Korean CDC.

Trojanised apps found on the Google Play Store have been linked to a campaign dubbed PhantomLance which is believed to have been perpetrated by state-sponsored Vietnamese APT group, OceanLotus (also known as APT32). Around 300 infections were observed on Android devices in Vietnam, India, Bangladesh, Indonesia, Nepal, Myanmar, and Malaysia. FireEye recently disclosed a state-sponsored campaign against the Wuhan government and Chinese Ministry of Emergency Management. These attacks were also attributed to OceanLotus. Hanoi has dismissed the accusations as "baseless" and that “Vietnam forbids all cyber-attacks, which should be denounced and strictly dealt with by law."

Multiple PowerPoint Presentation documents (.PPT) are being used in a spear-phishing campaign linked to GorgonGroup, a Pakistani APT. Further investigation into the APT’s C&C infrastructure revealed a connection to the ManaBotnet. Recently, GorgonGroup used the COVID-19 pandemic in a spear-phishing campaign against the Canadian government and potentially other countries. In both the campaigns outlined above, infostealing malware was the final payload.

A North Korean cyber-espionage APT, dubbed Hermit (also known as KONNI or Temp.Hermit), has been analysed by researchers. The group’s main targets are South Korean politicians, key government departments, news organisations, and the international trade sector. The volume of attacks recently increased, and the group upgraded its TTPs. 

Malware

Ransomware attacks continue to be a major threat to organisations around the world. The threat groups behind the Nefilim and DoppelPaymer ransomware leaked data from an oil and natural gas producer and a UK county supplier, respectively. The LockBit ransomware operators have now announced that they will leak data from their victims as a further means of extortion. This is in line with the trend in data leaking that we have seen over the course of 2020 from most ransomware groups. 

The most prolific of these groups, the Maze gang, introduced this tactic in 2019. Recently, it has revealed dozens of attacks and leaked data from numerous victim companies. These include a French metallurgy company, a German law firm, a Luxembourg supermarket chain, and numerous US organisations including in the civil engineering, waste disposal, financial, manufacturing, and energy sectors.

A new variant of the Cerberus mobile remote access Trojan (MRAT) was found in a targeted attack against a multinational conglomerate and was distributed inside the company via its Mobile Device Manager (MDM) server. Over 75 per cent of the company’s devices were infected. Because this attack is the first one of its kind to be publicly reported, it is highly likely that other threat actors will aim to exploit MDM servers to target Android phones in the same way.

A new rootkit, dubbed Lone Wolf, that has been propagating through software upgrade channels to infect tens of thousands of computers in China. The software, UU Page Tour Assistant, used only by websites in China, has been compromised. When site owners upgrade their pages, the Lone Wolf rootkit is silently downloaded too. Software upgrade channels of third-party software vendors are becoming a popular distribution and delivery technique for threat actors. This technique was most notoriously abused by Sandworm and the NotPetya ransomware which exploited the software upgrade channel for M.E.Doc, a Ukrainian accounting software.

Spamhaus has issued its latest report into botnet activity for the first quarter of 2020. The main takeaways are a decrease in the number of botnet C&C servers and a new malware abusing Google's cloud infrastructure. By hosting their malicious content on Google Cloud infrastructure, attackers no longer need to use suspicious bulletproof hosting providers, which are unreliable as well as attracting the attention of law enforcement. Google’s infrastructure is a reliable way to execute attacks.

The operators of the Shade (Troldesh) ransomware have shut down their operations and released over 750,000 decryption keys. The group even apologised for the harm they had caused their victims. The group may already have returned with a ransomware known as ‘Light’.

A new Android spyware, dubbed Hawkshaw SPY, has been disclosed. The malware is reminiscent of XploitSPY and shares much of the same user interface (UI). Hawkshaw SPY is available via a Malware-as-a-Service (MaaS) platform. 

Darknet

The volatility in darknet markets and within its communities of vendors and buyers continues. Most recently, a relatively small market, known as Pax Romana, exit scammed, leaving both customers and sellers without recourse to get their money back. The admins have absconded and all logins for the market have been changed. This exit scam was first flagged up by a designation on the Dread forum in a staff post on the market’s subread.

In the wake of this disruption, two new markets have taken up the slack left by Pax Romana. As we have noted in the past, market exit scams tend to result in an increased caution across all other markets, with a law enforcement presence feared on other platforms. This suspicion sees customers disperse to smaller, less visible markets, and two of these are Shark and Icarus. These two sites target a niche of darknet users: those who do not trust big markets. Unfortunately for users of these smaller markets, whilst visibility and the concurrent risk of law enforcement interest is reduced, the possibility of exit scams and other abuse is increased.

The Department of Homeland Security (DHS) has revealed that threat actors were selling access to PaperlessPay Corporation, an employee payroll communications company which helps customers with generating pay stubs and W-2 data. The data was being sold on the darknet. PaperlessPay investigated and found that an unauthorised third party managed to gain access to their SQL server on 18 February. Information that may have been accessed includes names, addresses, pay and withholdings information, bank account information, and Social Security Numbers.

 

COVID-19 Geopolitical Threats and Impacts

Americas

According to official GDP figures released by the US Bureau of Economic Analysis, the overall size of the US economy contracted by 4.8 per cent in the first quarter of 2020 relative to the previous quarter. While this marks the first quarter of economic contraction since 2014, and the worst quarterly figures since the 2008 financial crisis, these figures only account for the three months to March, the month in which many US states began to enact lockdown measures and order the closure of businesses deemed non-essential. There is a high likelihood that the economic figures for the second quarter will signal a greater decline in economic activity and indicate that an eventual economic recovery will be gradual (or ‘u-shaped’) rather than rapid (‘v-shaped’). 

Other economic indicators with shorter reporting lags also point to the scale of the economic slowdown; in the past five weeks, more than 26 million people in the US have filed for unemployment. Companies with interests in the US market should monitor macroeconomic developments and review their impact on operations, investments, and financial planning.

On 23 April, the US House of Representatives overwhelmingly approved a USD484 billion COVID-19 economic relief package. The bill, which had already been approved by the Senate, includes USD310bn of funding for the Paycheck Protection Program, a loan scheme helping small businesses keep employees on their payroll. The bill also includes USD75bn in new funding for hospitals, and USD25bn for COVID-19 testing. President Donald Trump has said he will sign the bill into law. Where necessary, companies with operations in the US should review and evaluate assistance programmes available to them, and ensure that operations comply fully with restrictions on business activity and social distancing.

On 24 April, US Trade Representative Robert Lighthizer said that he had notified Congress that the new USMCA trade agreement between the US, Mexico and Canada would enter into force on 1 July. Lighthizer’s announcement comes after a bipartisan group of 19 US senators called for a delay to the proposed 1 June start date, arguing that it was increasing pressure on companies already facing operational and financial difficulties amid the COVID-19 pandemic. Companies whose cross-border supply chains fall under the USMCA agreement should anticipate a 1 July start date – though this deadline may be extended – monitor government announcements, and comply fully with new rules.

Mexico and the EU reached an agreement on upgrading their two-decade old free trade pact. The new deal covers a range of new sectors, including services and farm produce, and allows reciprocal market access to tenders for public contracts. There is a moderate-to-high likelihood that the deal will receive necessary backing from EU governments, however this process may be lengthy, as exemplified by opposition to the EU-Canada trade pact by the Walloon parliament in Belgium in 2016.

Mexican state-owned oil company, PEMEX, is set to wind down production at newly drilled oilfields amid collapsing global prices. In a separate development, PEMEX reportedly declared force majeure on fuel imports from its trading arm, PMI Comercio Internacional, amid the COVID-19 pandemic. PEMEX remains heavily indebted and continues to face significant operational and financial difficulties. These have been exacerbated by the effects of COVID-19 and the sharp fall in global oil prices. Companies partnering with PEMEX should contract company and government stakeholders to assess the impact of production cuts on operations and strategy and anticipate possible further reductions in production.

On 27 April, US-based mining company Freeport-McMoRan announced that it will reduce copper processing at its El Abra copper mine in Chile by 40 per cent and lay off 275 workers amid the COVID-19 pandemic and low global copper prices. The significant decline in copper prices of around 16.5 per cent since the beginning of 2020 has prompted Chilean state-owned copper giant, Codelco, to announce that low prices have put some of its projects ‘at risk’. While copper prices have steadily risen since late March, they are likely to remain lower than their 2020 opening price of around USD6,200 per tonne amid worldwide restrictions on commercial activity related to COVID-19. 

APAC

Hong Kong’s Financial Secretary Paul Chan Mo-po warned local legislatures this week that the territory faces the most serious recession in generations, with an impact that could last for many years. According to Chan the economy may shrink by between 4 and 7 per cent due to the impact of COVID-19, having already contracted by 1.2 per cent in 219 due to months of local protests and the effects of the US-China trade war. Overall unemployment levels surged in the January-March period, the highest rate in nine years and with further job losses likely to come in the April-June period.

Cambodia’s Ministry of Labour and Vocational Training has revealed that more than 130 garment and footwear factories employing around 100,000 workers have suspended operations due to the impact of the coronavirus (COVID-19) on demand for their output in the European market. Exports of garment, textile and footwear are forecast to decline by at least 50 per cent in 2020, with no guarantee that demand will greatly increase in 2021.

Cambodia’s highly competitive garment, textile and footwear sector is faced with the broad options of suspending work based on receiving some government support; continuing to operate well below capacity and reducing the level of financial loss; or closing. All have an obvious impact on the income of their mainly female workforce, who are often the sole source of cash income for families, have few alternative employment opportunities and are increasingly in debt. This final point was highlighted on Monday when efforts to introduce a three-month moratorium on loans and interests payments in response to lost income due to the pandemic and owed to microfinance companies (MFI) was rejected. A total of USD10 billion is owed to these companies by around 2.5 million mainly low-waged Cambodians, the highest total in the world borrowed from MFIs.

Cambodia has a remarkably low recorded COVID-19 rate at currently 122 cases and no deaths, which is certain to reflect the failure or inability to test for the virus rather than any other cause. However, the country’s economic future will be largely determined by its markets rather than its own policies or efforts. Foreign companies in the country should be aware of the potential for limited unrest if the pandemic continues to affect the local economy, as well as the consequences of the government’s use of oppressive force against peaceful protests.

Papua New Guinea’s government announced on 24 April that it would take control of the Porgera gold mine, located in the Highland’s region, after refusing to extend the operator Barrick (Niugini) Ltd’s (BNL) lease. Prime Minister James Marape, who has long sought better terms from foreign extractive companies operating in the country, said the decision not to extend BNL’s lease for a further 20 years had been made on environmental grounds. BNL halted operations at Porgera and the government threatened to effectively nationalise the mine.

BNL is a joint venture between Barrick Gold Corp. of Canada and China’s state-owned Zijin Mining. Barrick has made it clear it will pursue all legal means to challenge the government’s decision and to recover any losses. Zijin Mining has also warned Papua New Guinea against refusing to renew its lease on the mine, located in the Highland’s district Enga province. China is Papua New Guinea’s biggest creditor, which theoretically gives Beijing considerable influence in the country, while Barrick’s willingness to seek legal redress will deter most other foreign companies from taking over the Porgera operation without its permission. This can be expected to strengthen the position of opponents of Prime Minister James Marape.  

Europe

Germany-based car manufacturer Volkswagen (VW) is resuming operations at Wolfsburg, the company’s largest plant, and factories in the Czech Republic, Portugal, Russia, and Spain this week. This comes as other European carmakers, including Renault, Peugeot, and Fiat Chrysler also resumed operations as part of a drive to revive the badly hit industry. Jaguar Land Rover said it would gradually re-open some factories in Europe, including its plant in Solihull, UK, and Vauxhall indicated that it was ready to re-open a manufacturing site in Ellesmere Port. UK home improvement retailer B&Q also opened 80 sites on 23 April.  A growing number of countries are implementing a gradual relaxing of lockdown measures and companies should consider implementing new processes, in line with national guidelines on social distancing and disease prevention, into operational planning.

Following last week’s revelation that the European Commission is seeking to protect EU-based companies from foreign takeovers, Poland’s deputy prime minister, Jadwiga Emilewicz, said that the government wants to be notified of any planned takeovers of Poland-based firms from non-EU investors. Emilewicz said that economic difficulties have led to a surge in interest from funds and companies outside the EU. Among sensitive sectors that will be protected by the state include energy, medicine, pharmaceutics, food, transport, logistics, data processing and telecommunications. This comes as the government announced a PLN330 billion (EUR 72.8 bn) rescue plan to soften the economic blow from COVID-19.

The Associated Press reported that Poland recently fell victim to a ‘complex disinformation operation’ aimed at weakening Poland-US ties. A cyberattack targeting a Warsaw-based military academic institution saw a fake letter posted on its website calling on Polish soldiers to fight the ‘American occupation’ (in reference to US troops stationed in the NATO country). The Polish government believes this has the hallmarks of a campaign orchestrated by Russian intelligence operatives. Moscow has not commented but previously denied claims it was responsible for spreading disinformation. The timing and nature of the cyberattack, however, indicates that it is likely part of a broader disinformation campaign designed to fuel Western tensions and dissent among NATO members.  

MENA and Central Asia

Islamic State (IS) claimed responsibility for a suicide person-borne IED on 28 April at the Intelligence and Counter-Terrorism Directorate bureau located in the Qadisya neighbourhood of Kirkuk, some 240km north of Baghdad. Despite victory over IS being declared in December 2017, a low-intensity insurgency has remained, with an uptick in IS-claimed attacks occurring in the past few months in territories disputed between the Kurdistan Regional Government (KRG) and the central government in Baghdad such as Kirkuk, Diyala and Salahuddin. There are concerns that IS seeking to capitalise on the coronavirus pandemic to make battlefield advances. It is also worth noting that the recent wave of IS attacks comes as the US and the international anti-IS coalition draw down and consolidate their missions in Iraq and Syria.

A Palestinian teenager stabbed an Israeli woman in the town of Kfar Saba, northeast of Tel Aviv, on 28 April. The attacker, identified as a 19-year-old from the town of Tulkarem in the West Bank, sustained serious injuries whilst being apprehended and was subsequently arrested. One-off, low-level attacks occur periodically. However, a number of incidents occurred in the past week suggesting the continued intent of militants to stage attacks. Such attacks may inspire copycats in the coming days and weeks, especially as both grassroots and organised militants may seek to exploit the security forces’ preoccupation with the COVID-19 crisis. It is also likely that attacks will increase in the run-up to 1 July, the target date for the Israeli government to begin West Bank annexations. This date was agreed by Prime Minister Benjamin Netanyahu and Blue and White party leader Benny Gantz on 20 April as part of their unity agreement.

In a statement on 29 April, US financial services provider Visa welcomed the United Arab Emirates central bank’s move to increase the card verification method (CVM) limit before a pin is required. The announcement comes amid the novel coronavirus pandemic and increased global concern about the safety of using cash. The demand for contactless payments has grown in the UAE due to the pandemic. Companies in the UAE should anticipate lowered demand for cash transactions and follow all government guidelines regarding coronavirus-related restrictions.

Hundreds of people rallied on 23 April across Lebanon to denounce the central bank’s recent memo and the increased exchange rate of the US dollar against the Lebanese pound. Crowds gathered at money transfer offices, with few adhering to social-distancing recommendations for the novel coronavirus. Clashes were reported between protesters and security forces. Demonstrators continued to block roads and highways with burning tyres in multiple locations into 26 April. They were moved to denounce the deteriorating economic situation in the country, including rising living costs. Security forces reportedly used live ammunition to disperse crowds.

The onset of the COVID-19 pandemic had temporarily halted months of nationwide protests that began in October 2019; in mid-March, the government banned public gatherings and enforced a lockdown to prevent the coronavirus’ spread. However, protests have re-appeared over the past few weeks, driven by the ongoing corruption, inequality, deteriorating standards of living, and lack of reliable social safety net that have been worsened by the COVID-19 crisis. On 14 April, social affairs minister Ramzi Moucharafieh said some 70-75 percent of Lebanese citizens now need financial assistance. The Lebanese pound has lost around half its value since October. Meanwhile, protesters accuse the government of ineptitude, including mismanaging coronavirus relief plans. Delays to the appointment of candidates to key positions in the central bank and financial sector, important for addressing the economic crisis, have been attributed to political fighting and party quotas. Staff should anticipate additional protests in the coming days and weeks. Likely hotspots for unrest are Beirut’s Martyr’s Square and Tripoli’s Abdul Hamid Karami Square. Security forces are likely to use heavy handed tactics to disperse gatherings.  

Sub-Saharan Africa

On 29 April, Wamkele Mene, Secretary-General of the African Continental Free Trade Area (AfCFTA), announced that the implementation of the common market, slated to come into force on 1 July, has been postponed due to serious uncertainty brought by the COVID-19 pandemic. The postponement is in line with our forecast in our latest Sub-Regional Intelligence Monitor on West Africa. It is unclear for how long the implementation of the agreement will be postponed, as Mene did not provide further details of a new potential timeframe. He did, however, express optimism that the agreement would go ahead eventually.

The business rescue practitioners of the ailing flag carrier, South African Airways, on 23 April warned that the airline had run out of funds to pay staff salaries beyond 30 April. In a notice to the affected parties, they said that a wind-down process of operations was contingent on staff accepting draft settlement agreements, offered to employees on 17 April. Failing that, and given that the government in early April rejected a request for more funds and flouting of foreign exchange spending caps, they warned that they would have to ‘make an urgent application’ to end the business rescue operations and place SAA under liquidation. The notice was issued after the National Union for Metal Workers of South Africa (NUMSA) and the South African Cabin Crew Association (SACCA) on 20 April jointly rejected the proposed settlement agreement outright, saying they had not been consulted.

NUMSA and SACA represent over 3,000 of SAA’s workers. Given their strongly worded rejection of the proposal, the settlement deal is highly unlikely to be accepted by unionised staff. Without an eleventh-hour rescue package from the government, which appears highly unlikely amid the COVID-19 pandemic and associated flight suspensions, SAA is effectively on its ‘death bed’. In light of the latest developments, we have increased South Africa’s Aviation Risk from Medium to Elevated, with a Negative outlook.