Geopolitical and Cybersecurity Risk Weekly Brief 8 April 2020
COVID-19 Cybersecurity Update
Coronavirus (COVID-19) has severely affected all sectors, slowing the global economy, forcing governments to impose lockdowns that have exponentially increased remote working, opening up new cyberattack landscapes in the process. Malicious campaigns, from phishing operations to malware distribution, continue to leverage the pandemic. Proofpoint researchers reported that coronavirus-themed attacks are dominating the threat landscape, with over 80 per cent of threats using the virus as some kind of lure. To date, the researchers have seen over 500,000 messages, 300,000 malicious URLs, 200,000 malicious attachments with coronavirus themes across more than 140 campaigns.
On 30 March, France-based defence company Thales warned that state-sponsored actors and cybercriminals are posing an ‘advanced persistent threat’ by exploiting the pandemic. The latest APT activity involved Chinese group, Vicious Panda, which targeted the Mongolian public sector with attachments disguised as documents from the country’s foreign ministry. From a geopolitical perspective, the attacks carried out by pro-Russia groups suggest that these form part of a broader effort to deepen divisions amid growing signs of fragmentation among EU countries.
The FBI has warned of an increase in exploitation attempts of virtual communication environments used by government agencies, private companies, and individuals. This is said to be a direct result of the COVID-19 pandemic. Threat actors will exploit vulnerabilities in these systems to steal sensitive data, target financial transactions, and extort organisations.
The website of the Italian National Social Security Institute was attacked on 1 April by unknown threat actors. The institute is responsible for processing the applications from Italian citizens for COVID-19-related benefits. The reasons behind the attack were not made clear, but the timing suggests an attempt to disrupt coronavirus recovery and support efforts. Any data that was stolen will be valuable in nature and could be sold on.
A wave of misinformation about COVID-19 has spread across India on major social media platforms, most notably via WhatsApp, Facebook and Twitter. On 28 March, the Delhi Police released a public advisory about the rising threat of cybercrimes related to coronavirus. On 30 March, the Indian Army’s directorate general of public information publicly rejected claims on social media that the Indian government would declare a state of emergency by mid-April.
Alongside false claims on social media, there is also a heightened cybercrime risk with fraudsters aiming to capitalise on the pandemic. The Prime Minister's Citizen Assistance and Relief in Emergency Situations Fund (PM CARES Fund), which will be used for disaster management and research into COVID-19, has notably been targeted. On 28 March, Delhi Police’s Cybercrime Unit announced that it had detected a number of fake ‘PM CARES’ accounts with instant real-time payment systems that scammed people into paying money in the belief that they were donating to the legitimate fund. Facebook and the Indian government are working together to curb the spread of misinformation on social media.
Companies as diverse as Netflix, a Brazilian bank, and a popular children’s gaming app have been spoofed, as well as healthcare organisations around the world. The main aim of these attacks has been the theft of financial information. Lures have included WHO coronavirus safety and prevention methods; coronavirus outbreak and cures; face mask supply; WHO donation; suspension of activity due to the virus; and payment transfer copies.
Threat actors have been using YouTube to spread disinformation and scams. Some videos offer fake vaccines, for USD135, that claim to protect buyers from the virus. Others have advertised medical masks for sale, COVID-19 drugs and more.
Unknown threat actors have targeted World Health Organization (WHO) employee email accounts with phishing emails. An Iranian group has been blamed, with the Iranian government denying any involvement: they claimed this was “all sheer lies to put more pressure on Iran. Iran has been a victim of hacking."
A GoDaddy employee recently fell victim to a spear-phishing attack. Five other customer accounts were “potentially” affected. During the incident, the threat actors changed the DNS records for escrow.com to point to a third-party web server which. Escrow.com stated it would be sharing more details about the incident in the coming days, but emphasised that none of its systems, customer data, funds or domains had been compromised. The impacted accounts have been locked down.
Microsoft's Detection and Response Team (DART) reported an Emotet attack against an unnamed organisation that resulted in a full network shutdown after all devices overheated. The initial infection vector was a phishing email attachment.
An APT group has been exploiting two vulnerabilities patched earlier this year in Firefox and Internet Explorer. These attacks have mostly been aimed at China and Japan. Both vulnerabilities were used as part of a campaign pushing Gh0stRAT to Chinese government agencies, attributed to the @DarkHotel APT.
Zoom and the Risks of Remote Working
On 30 March, New York Attorney General Letitia James wrote to US-based video conferencing platform Zoom to enquire about measures the company is taking to ensure users’ privacy amid a surge in demand during the coronavirus pandemic. In the letter, James said that the company had previously been slow to fix security flaws.
Zoom is a high-value target for threat actors because of the massive rise in its popularity due to the current coronavirus lockdowns, with Zoom becoming the most-downloaded application on US app stores. As hundreds of millions of people are now working from home, the use of conferencing software has increased exponentially. Over 3,300 new domains with the word 'Zoom' in them have been registered since the start of the coronavirus pandemic. 2,000 of these have been identified as phishing domains.
Cyjax discovered a new public forum named 'Zoom Leaks'. The forum allows members to post the meeting IDs for unsecured Zoom meetings. Elsewhere, threat actors using repackaged Zoom software to trick users into installing malware. This malicious Zoom package is being distributed through third-party markets.
Later in the week, researchers found an automated Zoom meeting discovery tool, dubbed zWarDial, which gives threat actors the ability to find non-password protected Zoom meetings. According to its creators, zWarDial can find an average of 110 meetings per hour. The largest group of companies exposing their Zoom meetings were found in the technology sector, including some security and cloud technology companies. There have been multiple reports of uninvited guests entering meetings, or ‘Zoombombing’, for the purposes of racism or to share explicit images.
To mitigate potential security risks and hijacking, video conference hosts should protect each meeting with a unique password distributed via secure email or messaging service, limit the screen-sharing function to ‘host only’, and remove disruptive participants from a meeting.
DATA BREACHES AND FRAUD
Hotel chain Marriott International announced a data breach exposing the personal details of “approximately 5.2 million guests". The data is thought to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise. This breach could not possibly have come at a worse time for the hotel chain: it will undoubtedly already have been severely impacted by the COVID-19 pandemic and it is the second time in under two years that this has happened to the conglomerate.
This week has seen three separate voter data breaches. Voter contact and canvassing app, Campaign Sidekick, exposed sensitive information about US voters online. The app is used by both the Republican and Democrat parties in election campaigns. A database containing information about 337,384 voters in Malta was left open and online by Maltese software developer C-Planet IT Solutions. And 4.9 million Georgian citizens' voter information was discovered on a darknet forum. The database contained 4,934,863 records, but many of these records pertained to millions of deceased voters. The data was subsequently leaked on darknet forum xss.is.
VpnMentor has reported a breached database belonging to Cloud backup provider SOS Online Backup. It contained 135 million records of metadata related to user accounts on the service. This breach is detrimental to its brand identity, as it claims to be “The World’s Most Secure Online Backup” cloud service.
Security researcher Bob Diachenko identified a potential data breach affecting AirAsia Group. The researcher publicly asked on Twitter for a security-related contact belonging to the airline, claiming that passenger data is at risk.
A Raid Forums post is selling credit card numbers and other complete sets of personally identifiable information (PII). The data pertains to 320,000 US residents and includes residential addresses, office addresses, phone numbers, email addresses, credit scores, and dates of birth, among 10 other fields.
A threat actor has been breaking into unsecured Elasticsearch servers for at least the last two weeks. The attacker attempted to wipe the servers' contents, leaving the name of a cybersecurity firm, Night Lion Security, in an effort to divert blame. Night Lion Security claims that it has nothing to do with these attacks.
A phishing campaign is targeting customers of Randolph-Brooks Federal Credit Union (RBFCU), a large financial institution located in Texas. RBFCU has over 850,000 members. This campaign follows a typical phishing flow, with the objective of obtaining sensitive user information.
A new lure document used by the @Kimsuky group in its COVID-19-themed spear-phishing attacks referenced the European External Action Service (EEAS). The likely target was the EEAS chief decision-maker for Korean Peninsular relations and was reportedly involved in several meetings regarding the COVID-19 crisis on the Korean peninsula.
MakeFrame is a new card skimmer that has been linked to @Magecart Group 7. This skimmer has been actively harvesting card data from 19 different sites, mainly belonging to small or medium-sized businesses. Magecart is one of the main threats to online retailers. There are known to be at least 12 – and possibly as many as 33 – groups all operating under this name. All of them look to steal financial data from websites’ checkout pages, with some actively attempting to undermine others in the Magecart stable.
APT ACTIVITY AND MALWARE CAMPAIGNS
RedDrip7 has uncovered new malware samples, leveraging the coronavirus, that are linked to @Lazarus, the North Korean government-backed threat group. The malware, contained in Hangul Word Processor (HWP) documents, are reportedly being leveraged in a new campaign against South Korea. If a victim opens one of these HWP documents and enables the malicious content, a backdoor is dropped which can enable the attackers to gain remote control over a victim’s device.
A new phishing campaign purports to have been sent from the IT department of the recipient’s company and contains instructions on how to work from home and install a VPN.
A US-based company is being targeted in a new TrickBot campaign that uses the malware's new networkDll module to perform reconnaissance. The campaign leveraged Cobalt Strike and the Beacon implant for enumeration and lateral movement through a system. Intrusion indicators linked the attack to a threat group called @UNC1878.
An Android spyware operation using the Mandrake platform is targeting primarily Australian users. While Mandrake was only discovered this year, researchers believe that the platform has been active since at least 2016. To date, Mandrake has targeted apps for Google Chrome, Gmail, ANZ Australia, Commonwealth Bank of Australia, Bank of Melbourne Mobile Banking, Bank of SA, Australian Super, and PayPal.
Operation Holy Water, a new watering hole campaign, is targeting Tibetan individuals and organisations. The attacks are thought to be perpetrated by a new Chinese APT, dubbed @StormCloud. Compromised sites and a fake Adobe Flash Player installer deliver malware. @StormCloud has been targeting Tibetan organisations since at least 2018.
Trend Micro has issued a security advisory about the number of vulnerable Remote Dictionary Servers (Redis) that are public facing online. There are currently over 8,000 such servers running unsecured in enterprises around the globe. Some are even deployed in public clouds, such as AWS, Azure, Tencent Cloud, and Google Cloud. Cybercriminals are constantly scanning for Redis servers to exploit. Botnets and malware that specifically target Redis servers include cryptominers.
New research from Guardicore has uncovered a long-running campaign, dubbed Vollgar. The attacks, which have been traced back to May 2018, target Windows machines running MS-SQL servers. The worst affected countries include China, India, the US, South Korea, and Turkey.
A whistle-blower is claiming that the Saudi government is exploiting vulnerabilities in mobile networks to track its citizens in the US as part of a "systematic" surveillance campaign. The locations of Saudi citizens were recorded over a four-month period from the start of November 2019. SS7 protocols are typically used by carriers around the world to route and direct calls and messages between networks. Weaknesses in the networks could allow a person or organisation to eavesdrop on calls and read text messages, as well as accurately track devices.
The darknet continues to be severely impacted by the COVID-19 crisis. Over the past week, several well-known vendors have announced they will no longer be accepting orders. Others have continued to operate but have notified customers that shipping times will be severely delayed. Earlier this week, the French postal service La Poste acknowledged their reduced staff will result in delivery service slowing considerably. Many users fear the US postal service will likely follow suit over the next few weeks, which will further disrupt darknet trade.
Empire market continues to be inundated with complaints about their poor service. Rumours continue of transactions disappearing from escrow and accounts being banned without warning. At least some of these complaints appear to be a coordinated disinformation campaign from a relatively new rival market, Pax Romana. However, others appear to have been made independently, although this does not mean they are genuine. Nevertheless, poor competition ensures that Empire will remain the dominant market, at least for now.
Finally, the source code of several well-known darknet markets has recently appeared for sale on rival markets. The source code for Silk Road 3.1 (also used by BitBazaar), as well as the source code for the now defunct Tochka market is currently for sale. The authenticity of these listings is currently unconfirmed. However, if they do prove genuine, it is highly likely that several new markets running this source code will appear soon.
Over the past several weeks, there has been a notable increase in threat actors selling access to compromised Magento accounts on the darknet. The listings mostly provide only limited information, making it hard to identify the victim. However, some information, such as the number of monthly sales, location of company, and version of Magento being run are normally included. Based on this information, it appears the majority of victims are small and medium-sized enterprises running outdated versions of Magento.
COVID-19 GEOPOLITICAL THREATS AND IMPACTS
On 26 March, the US Department of the Treasury’s Office of Foreign Assets Control imposed sanctions on 20 more high-profile Iranian and Iraqi senior officials, business associates and companies. This comes despite growing calls in Iran to suspend sanctions amid the COVID-19 crisis where Iran has emerged one of the worst affected countries in the world. These calls have also come from the international community. The blacklisted individuals and companies will have any assets in the US frozen and will be banned from conducting any businesses with Americans or any US companies.
Later in the week, on 31 March, the EU-Iran trading mechanism Instrument in Support of Trade Exchanges (INSTEX) successfully conducted its first transaction. Germany, France and the United Kingdom enabled the export of medical devices from Europe, according to the German foreign ministry. Berlin also said the mechanism would facilitate other transactions with the Iranian mirror organisation Special Trade and Finance Instrument (STFI) in the future.
INSTEX, created in January 2019, is a special-purpose vehicle (SPV) aimed at helping EU companies do non-cash transactions with Iran to avoid contravening US sanctions against the country. The use of the SPV is limited to humanitarian purposes including the purchase of otherwise embargoed foods or medicines. The Iranian response had been sceptical to this point but the country’s struggle with the coronavirus outbreak is thought to have provided a cover for the recent transaction. It is unlikely, however, that INSTEX will be able to significantly bolster Tehran’s battered economy and will undoubtedly elevate tensions between the US and Iran.
Oil Plummets, Libyan Tensions Rise
The Kremlin announced on 30 March that US President Donald Trump and Russian President Vladmir Putin had agreed to allow energy officials from their respective countries to hold discussions on stabilising the oil market. The development resulted in Brent Crude prices rising by 2.7 per cent to USD23.37 a barrel on 31 March after finishing at USD22.76 on 30 March, the lowest since November 2002. This comes after Russia pulled out of an agreement with OPEC and its allies on 6 March, refusing to uphold oil production cuts. The agreement officially ends on 1 April, meaning Russia’s output levels are now likely to return to full capacity. Saudi Arabia, the de facto leader of OPEC, has stated its intentions to match this ramping up of output by increasing oil exports to 10.6 million barrels per day from May. If the renewed levels of output go ahead in the coming months, oil prices are likely to drop even further amid a global oil glut.
In Libya, the UN-backed Government of National Accord (GNA) announced ‘Operation Peace Storm’ on 26 March to respond to growing attacks in Tripoli by forces of the Libyan National Army (LNA). These attacks have continued despite a ceasefire proposed by UN and European countries to help curb the spread of COVID-19. The LNA, backed by Egypt and UAE, has been attempting to take control of Tripoli since April 2019. This is a notable escalation in tensions between the GNA and LNA and will likely mean a significant increase in violence in Tripoli in the short-term outlook, particularly around residential areas surrounding Mitiga Airport, currently held by the GNA, where violence has intensified since February 2020.
Powered by Cyjax Ltd and A2 Global Risk Ltd. 2020