Paul Scott

Paul Scott
on March 26, 2020

Threat Report Thursday March 26th 2020

Threat Report

It should be no surprise that hackers are breaking their promises. The World Health Organization, FedEx, and U.S. Human Health Services are being used in COVID-19 lures. In other hacking news, Russian FSB nabs 30 hackers in coordinated raids and the window of opportunity is open for two unpatched Windows code execution vulnerabilities being actively exploited.

Threat actors using COVID-19 information as a lure

The spread of coronavirus disease 2019 (COVID-19) has led to a change in the attack surface of many organizations. As workers have moved to working from home, security controls deployed at HQ are not effective for employees currently working from home. Perch has provided some guidance on securing remote workers.

Healthcare is no exception to this, as non-clinical staff are working remotely. This new threat to healthcare comes at a time when the healthcare resources are constrained due to efforts in containing and responding to the pandemic.

Threat actors are conducting heavy amounts of COVID-19-themed campaigns. Thousands of coronavirus-related domains are being registered every day to impersonate and target healthcare institutions with phishing campaigns and host exploit kits.

Some ransomware operators have claimed that they will cease operations focused on healthcare entities, but even the ones that have made this pledge have still been seen impacting COVID-19 research. Maze Ransomware made this pledge, however that didn’t help a healthcare research group working on COVID-19 vaccine, Hammersmith Medicines Research (HMR).

In response to the surge in COVID-19 related hacking activity, over 1,000 security professionals from different security companies and security teams have banded together in a COVID-19 Cyber Threat Coalition on Slack to battle hackers and share information about these campaigns. If you’re interested in joining the war effort, hit us up on Twitter for an invite.

Maze hammers Hammersmith

The IT staff of London-based Hammersmith Medicines Research (HMR) discovered an attack that led to Maze Ransomware. This was after Maze pledged to avoid targeting Healthcare amid COVID-19.

HMR is an independent contract research organization that develops vaccines and drugs to treat various diseases such as Ebola, Alzheimer, and COVID-19. Due to the quick incident response of HMR’s IT staff, the organization’s computer systems and emails were restored within the day.

According to the managing and clinical directors of the research center, the incident did not cause disruptions to its day to day operations. Following the incident, the threat actors behind the attack published sensitive personal and medical information of roughly a thousand former patients, including the ransom demand.

Officials stated the exposed information contained medical questionnaires, copies of passports, drivers’ licenses, and national insurance numbers that were archived between eight and 20 years ago. The initial access vector of the attack was not disclosed by HMR, but there were reports that the threat actors used exploit kits and phishing techniques to deliver the payload to their targets.

We have high confidence that the Corona virus pandemic will spur not only financially motivated hackers, but also nation-state hacking groups to target pharmaceutical and research groups involved in developing a vaccine.

Who is targeting WHO?

On March 24, 2020, Reuters announced that the World Health Organization (WHO) was targeted by an unsuccessful spear phishing campaign designed to harvest credentials.

According to Alexander Urbelis, a researcher and attorney at the New York-based Blackstone Law Group, the attempted attack against the WHO took place on March 13, 2020 when a threat actor set up a malicious site mimicking the WHO’s internal email system.

The malware used in this campaign is believed to be the work of the advanced persistent threat (APT) Darkhotel, but there is insufficient evidence to definitively say who did it. So, who done it?

Since February 2020, the World Health Organization has been the primary target of cybercriminals who have begun spoofing the organization’s name and images as part of ongoing phishing campaigns looking to take advantage of the COVID-19 pandemic.

Lokibot’s FedEx Covid Customer Advisory Campaign

A phishing campaign used the FedEx trademark, claiming to provide targets with information on global FedEx operations in relation to COVID-19. The malspam contained an attachment titled “Customer Advisory.PDF.exe” that infected the victims with Lokibot malware.

The security community is responding with the formation of a COVID-19 Cyber Coalition.

Raccoons abused HHS open redirect in COVID-19 phishing campaign

On March 23, 2020, security researchers identified a Corona virus-themed phishing campaign that abused an open redirect on the website of the U.S. Department of Health and Human Services (HHS) to deliver the Raccoon Stealer malware.

Raccoon Stealer is capable of compromising data such as email credentials, credit card details, cryptocurrency wallets, browser data, and system information. The initial attack starts through the open source website,

[https://dcis[.]hhs](https://dcis.hhs "https://dcis.hhs")[.]gov/cas/login? service=MALICIOUSURL&gateway=true

which is present on the HHS Departmental Contracts Information System (DCIS) subdomain to link a malicious attachment, tracked as “coronavirus.doc.lnk,” that will execute the Raccoon Stealer malware onto the victim’s computer.

You can check out a recording and execution of the campaign on any.run.

Russian Federal Security Service arrests 30 hackers

In other, non-Corona related news, multiple Russian media sources reported that the Russian Federal Security Service (FSB) and the Ministry of Interior (MVD) Investigative Committee conducted a joint operation arresting more than 30 hackers in 11 regions of Russia.

This has been reported as the “largest group of hackers exposed in Russia.” The FSB has accused the arrested individuals of stealing and selling payment card data from victims throughout the world.

Authorities reportedly seized more than one million dollars in cash, computer servers, fake passports and IDs of law enforcement officials, weapons, narcotics, and bars of gold. Among the detainees were Russian, Ukrainian, and Lithuanian citizens.

Maybe some of these hackers will be offered an opportunity to work for the FSB on a nation-state hacking team to target COVID-19 research groups and secure valuable vaccine research for Mother Russia.

Microsoft Adobe Type Manager Library RCEs

Microsoft has released an out-of-band security advisory ADV200006 to address two critical remote code execution (RCE) vulnerabilities in Adobe Type Manager Library (no relation to Adobe), a library used to render certain fonts inside Windows operating systems. According to the advisory, Microsoft has observed limited targeted attacks on Windows 7 machines.

Microsoft did not disclose any further details surrounding these attacks. The vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially crafted multi-master font - Adobe Type 1 PostScript format.

There are multiple ways an attacker could exploit the vulnerabilities, including convincing a user to open a specially crafted document or viewing it in Windows Preview.

Microsoft is currently working on a fix. Microsoft notes that the threat of abuse is low for systems running Windows 10 because of “mitigations that were put in place with the first version released in 2015.” (Microsoft has not observed any attacks against the Windows 10 platform specifically.) Users are advised to upgrade to the Windows 10 family of clients and servers and review the published security advisory.


We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday March 19th 2020

Share this on:

Paul Scott

Paul Scott
on March 26, 2020


Perchy Subscribe to our blog