The COVID-19 vaccine campaign has the components of a state-sponsored attack.

Edward Gately, Senior News Editor

December 4, 2020

8 Min Read
Cybersecurity Roundup, security roundup
Shutterstock

Cybercriminals are targeting the COVID-19 vaccine supply chain, and if successful they could destroy cargo loads of the life-saving vaccines.

That’s according to IBM Security X-Force’s latest threat research. It discovered a campaign against the COVID-19 vaccine cold chain.

Pfizer and Moderna have announced promising results from their COVID-19 vaccine trials. Therefore, countries are initiating the process of distributing vaccines. However, these vaccines rely on temperature-controlled environments, also known as the cold chain, for distribution.

IBM Security X-Force discovered a targeted operation against the COVID-19 vaccine cold chain that supports the Gavi Alliance and UNICEF’s’ efforts to safely transport a vaccine to underdeveloped regions. Moreover, these regions rely on external aid to store their medicines in temperature-control environments.

The COVID-19 vaccine campaign has the components of a state-sponsored attack.

Zaboeva-Claire_IBM.jpg

IBM’s Claire Zaboeva

Claire Zaboeva is senior cyber threat analyst with IBM Security X-Force.

“The COVID-19 cold chain represents a new kind of global critical infrastructure,” she said. “If damaged or disrupted, it is possible cargo loads of life-saving vaccines could be destroyed.”

Malicious actors sought to harvest credentials to likely gain illegal access to targeted environments, Zaboeva said. Should they gain presence on the system, they may carry out a multitude of attacks. Those include collecting sensitive or critical information, to even conducting disruptive or destructive attacks.

“The compromise of any of the targeted organizations, which maintain direct ties to multiple national government networks associated with trade and regulation, may serve as a single point of compromise impacting multiple downstream targets,” she said.

According to IBM Security X-Force’s research:

  • Attackers impersonated Haier Biomedical to conduct spear-phishing attacks against global organizations that provide material support to the cold chain. Haier reportedly is the world’s only complete cold chain provider.

  • Attackers targeted global organizations in at least six countries, including the European Commission’s Directorate-General for Taxation and Customs Union, petrochemicals, solar panel companies and more organizations across other industries.

  • Attackers attempted credential harvesting to access sensitive information pertaining to COVID-19 vaccine transport and distribution.

“All security providers worldwide will need to collaborate in defending this emerging infrastructure,” Zaboeva said. “Likewise, at the corporate level, companies need to cultivate a culture of cyber awareness, one that includes an active security posture that has a practiced incident response plan in place.”

Zaboeva offers the following suggestions for targeted organizations:

  • Trust but verify. Now is the time to scrutinize everything from your partners. Pick up the phone and call them to confirm emails or unsolicited attachments are really from them.

  • Limit employee access to sensitive information. Only provide access to those who need it for their roles.

  • Use multifactor authentication (MFA) across your organization. This is an extra layer of defense that stops a bad guy from getting in even if they do succeed in getting your username, email and password.

It’s very possible this is just the start of attacks on the COVID-19 vaccine supply chain as initial distribution nears, Zaboeva said.

“Given global demand for a life-saving vaccine, it is highly likely advanced insight into the secure cold chain transport underpinning the worldwide distribution of vaccines represents a continuing high-value target for both state-sponsored threats and independent cybercriminals,” she said.

RiskIQ: Universities Increasingly Under Attack

Twenty universities globally have been subject to phishing campaigns since July, according to RiskIQ‘s “Shadow Academy” report.

The attacks are similar to the Iranian company Mabna Institute. It illegally gains access to non-Iranian scientific resources through computer intrusions.

RiskIQ has named the actors identified during this research as “Shadow Academy.”

Among the key findings:

  • The credential-harvesting URLs focused mainly on popular services like Amazon, Instagram and online banking.

  • A Louisiana State University (LSU)-themed student portal login page was the first identified target.

  • Library-themed attacks targeted 37%.

  • General access or student portal attacks targeted 63%.

  • Financial aid-themed attacks targeted 11%.

Many college campuses began releasing timelines for traditional on-campus operations in July, RiskIQ said. Research suggests that Shadow Academy actors timed the development of malicious infrastructure to take advantage of back-to-school chaos.

Universities have been a historically lucrative attack landscape for attackers such as Silent Librarian and w4coders. They knowingly take advantage of overwhelmed IT staff during the start of the school year.

Cory Kennedy is a threat researcher for RiskIQ. He said the attackers are typically attempting credential theft.

“Targeting students with Netflix phishing campaigns may…

Kennedy-Cory_RiskIQ.jpg

Risk IQ’s Cory Kennedy

…seem pointless, but many people reuse passwords for multiple systems,” he said. “This is well known by the attacker community and enables credential stuffing attacks.  The FBI warned about this attack type recently.”

Damage ranges from multiple account breaches to financial loss, Kennedy said.

“Organizations should be training faculty, students and staff about identifying and avoiding phishing attacks,” he said., “However, they should also have systems in place that can identify brand abuse that many threat actors employ to execute these phishing attacks.”

The frequency of brand attacks can overwhelm security teams, and providers have different approaches to solving this problem, Kennedy said.

“RiskIQ’s global network of virtual users use a combination of threat feeds and configured searches for brand keywords to encounter threats, including phishing, domain infringement, rogue mobile apps, social media impersonation and brand-lure malware, the same way that victims do,” he said. “Virtual users closely mimic human behavior in the way they navigate websites and use a broad range of geographic locations, OS and browser-types, and other characteristics to catch targeted attacks by threat actors trying to evade detection.”

RiskIQ says it will continue to research Shadow Academy and share findings.

Hacker-for-Hire Group DeathStalker Hits the Americas and Europe

Kaspersky researchers have spotted new malware activity in the wild from DeathStalker. The advanced persistent threat (APT) offers hacking-for-hire services targeting companies in the financial and legal sectors.

DeathStalker uses a new malware implant and delivery tactics involving a backdoor Kaspersky has dubbed PowerPepper.

The backdoor remotely takes control of victim devices. It leverages DNS over HTTPS as a communication channel to hide communications with the control server behind legitimate-looking traffic. PowerPepper also uses several evasion techniques.

DeathStalker doesn’t care about politics. And it isn’t seeking financial gain from the companies they target. Rather, they act as mercenaries, offering their hacking services for a price.

Delcher-Pierre_Kaspersky.jpeg

Kasperky’s Pierre Delcher

Pierre Delcher is a security expert at Kaspersky.

“DeathStalker is likely looking for business intelligence, i.e. content and data that are of interest in the framework of the missions and contracts it has been tasked for,” he said. “DeathStalker may be extracting large chunks of data first, and looking for the specifics offline then, so the associated specific interests are not revealed during investigations.”

The cybercriminals most likely access and copy sensitive, confidential and protected information, Delcher said.

“Such information could allow competitors to win contracts or lawsuits that they should not have, discover personal secrets, or carry activities on behalf of targeted organizations’ identity/brand,” he said. “The same malware intrusion chains and tactics could just as well be leveraged by other actors to disrupt activities or deploy ransomware.”

PowerPepper is typically spread via spear-phishing emails. Malicious files are delivered in the email body or within a malicious link. The group has exploited international events, carbon emission regulations, and even the pandemic to trick their victims into opening the malicious documents.

SMBs are definitely a target for DeathStalker’s activities,” Delcher said. “We could identify law and finance consultancy firms to be frequent targets, and most of them were not big corporations.”

SMBs may not control their IT assets or dedicate enough resources to protect against cyberattacks, he said.

DeathStalker’s tools heavily rely on scripting languages such as Powershell and JavaScript. So Kaspersky recommends interpreters for these languages be disabled on user machines whenever possible. Also, it’s important to monitor associated Windows events.

“Beyond this, our main recommendation would be to make sure an up-to-date security product is set up on all smartphones, computers and servers, and that all employees are trained to detect, ignore and report spear-phishing or unsolicited emails and social network messages,” Delcher said.

NetEnrich Unleashes Intelligent SOC

NetEnrich‘s new Intelligent SOC (ISOC) service allows midmarket enterprises and MSPs to up-level security operations, add skilled experts and improve efficiencies.

ISOC removes the barriers and complexities associated with security operations by making it easier, effective and more cost-effective. Organizations can scale their operations by adding outcomes-focused services that combine AIOps with security analyst expertise.

Justin Crotty is senior vice president at NetEnrich.

“Intelligent SOC enables MSSPs, MSPs and VARs to expand their managed security services business by customizing programs to meet their customers’ (enterprises) needs,” he said. “Organizations can add specific entitlements…

Crotty-Justin_NetEnrich.jpg

NetEnrich’s Justin Crotty

…like vulnerability assessment, attack surface risk analysis or managed SIEM services to improve operational efficiencies.”

ISOC also allows MSSPs, MSPs and VARs/resellers to expand their businesses and increase recurring revenues from new, differentiated SOC services. NetEnrich offers a variety of service models like white-label SOC or SOC services.

“Intelligent SOC provides enterprises with choice, flexibility and services pricing aligned to their requirements,” Crotty said. “The ability to customize services tied to measurable results (outcomes) with flexibility to turn on or off services satisfies what organizations are asking for. In contrast, the traditional one-sized-fits-all complete managed security service is too costly and offers many service features organizations don’t need.”

ISOC also allows channel partners to offer new and value-added programs to their customers, he said.

Read more about:

MSPs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like