Cybercriminals and Nation-States Aim to Subvert Systems and Devices
An Android app purporting to offer real-time tracking of local COVID-19 infections is really CovidLock ransomware in disguise. (Source: DomainTools)
Attackers are continuing to use concerns over COVID-19 to distribute ransomware and malware, including for smartphones. The healthcare sector is perhaps at the greatest risk from these attacks because it’s serving as the front-line defense against the disease.
Likely culprits behind such attacks include the usual suspects: cybercrime operators looking to make a fast buck – for example, by demanding a ransom to unlock crypto-locked systems – as well as nation-states seeking to sow chaos (see: Nation-State Hackers Using COVID-19 Fears to Spread Malware).
Last weekend, for example, the U.S. Department of Health and Human Services saw increased scanning of its network and potentially a distributed denial-of-service attack.
“Expect increased attacks in the name of COVID-19, particularly against businesses involved in testing and treatment; it’s similar to other efforts to shortcut development by exfiltrating other’s intellectual property or research,” Lee Neely, a senior cyber analyst at Lawrence Livermore National Laboratory, said in a recent SANS Institute newsletter. “Verify your defenses, including monitoring and alerting capabilities, with an eye to operational impacts of increased numbers of remote workers, possibly even your SOC. Be prepared to alter your definition of normal due to modified working arrangements.”
Ransomware Continues to Target Healthcare
Despite the essential role healthcare organizations are playing in fighting the pandemic, the vast majority of criminals don’t appear to have steered clear of targeting the sector with ransomware attacks (see: COVID-19 Complication: Ransomware Keeps Hitting Healthcare).
Potentially compounding the problem, ransomware attacks tend to spike in the spring and summer, security firm Emsisoft says.
“It is likely that there will be an increase in the number of healthcare providers impacted by ransomware in the coming months and, unfortunately, this increase may coincide with the peak of the COVID-19 outbreak,” it says in a blog post. “Further, the spikes may be more pronounced than in previous years due to security weaknesses resulting from hastily introduced work-from-home arrangements, personal device usage and staffing shortages.”
One potential challenge facing ransomware gangs is that fewer businesses and individuals may have the funds to pay their attackers off, even if they wanted to. That, in turn, could lead to ransomware gangs attempting to hit more targets tocompensate, says British cybersecurity researcher Kevin Beaumont (@GossiTheDog).
I imagine ransomware groups will try to increase number of targets to compensate, it depends if they have the finances banked to scale out.
— Kevin Beaumont (@GossiTheDog) March 18, 2020
On Wednesday, security firms Coveware and Emsisoft issued a joint statement announcing free assistance for “critical care hospitals and other healthcare providers that are on the front lines of COVID-19 and have been impacted by ransomware.”
The aim the effort is “to get impacted providers operational again in the shortest possible time so that patient care is minimally disrupted,” Brett Callow, a threat analyst at Emsisoft, tells Information Security Media Group. “We’re anticipating an increase in ransomware incidents, which could be significantly in excess of the typical seasonal spikes and, unfortunately, may coincide with COVID-19’s peak – a perfect storm.”
Some security experts have promised a literal day of reckoning for any criminals that attempt to turn the pandemic to their advantage by targeting healthcare organizations.
“If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down,” says Mikko Hypponen, chief research officer of Finnish security firm F-Secure.
Public message to ransomware gangs: Stay the f away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.
— @mikko (@mikko) March 18, 2020
Malicious Mobile Apps
Attackers have also been deploying malicious Android apps with COVID-19 themes. This includes CovidLock, a newly spotted Android ransomware designed to lock victims’ screens until they pay a ransom.
“Attackers offered a malicious real-time update app via the coronavirusapp.site domain, which pulled information from the legitimate infection2020.com, for tracking U.S. COVID-19 news, and featuring a banner encouraging users to install the app,” say Tarik Saleh and Chad Anderson, security researchers working for Whois intelligence firm DomainTools (see: Act Fast: Best Practices for Arresting Spoofed Domains).
If users download and install the app, it requests full access to a user’s device “by asking if you want to enable the application in Accessibility to monitor COVID-19 stats, as well as when a victim wants to know when a known COVID-19 patient is near your vicinity,” the researchers say. “Once a user allows CovidLock’s request, this permission provides nearly full control of the device to CovidLock.”
“We have reverse-engineered CovidLock’s decryption key, and have released it publicly for any victims affected by this ransomware: ‘4865083501.’”
The ransom being demanded CovidLock is 0.011 bitcoins, equivalent to $100 when the app was coded, but now just worth $60 because the COVID-19 pandemic has led to a dramatic drop in the value of cryptocurrencies, the researchers say.
Ransom note (Source: DomainTools)
The DomainTools researchers say they’ve traced the SSL certificates used for the malicious coronavirusapp[.]site domain – originally registered on March 8 – to another site, dating4sex[.]us, which also push the malicious app. That site, they say, “has registration information pointing to an individual in Morocco.”
One piece of good news about this attempted shakedown is that the attacker’s poorly written code has made it relatively easy to crack, the researchers say. “We have reverse-engineered CovidLock’s decryption key and have released it publicly for any victims affected by this ransomware: ‘4865083501.’”
Site distributing COVID-themed malware (Source: DomainTools)
Nation-State Deploys ‘COVID’ Surveillance App
Another Android app move: In Iran, which has been particularly hard hit by COVID-19, all mobile phone users received a government-issued alert to download the “AC19” mobile app via the “Café Bazaar” mobile app store, Vice reports.
The app claimed to be able to detect if they were infected with Coronavirus after users filled out and submitted a brief health questionnaire via the app. But Vice reports that the app, aimed at the country’s 3.5 million citizens, includes real-time user tracking, which the government could thus use to attempt to identify infected individuals and better contain the outbreak.
On Wednesday, Iran said that at least 1,135 people have died from the disease in the country, which has more than 17,360 confirmed cases.