Group zeros in on the WHO
Sophisticated hackers, possibly from an international Advanced Persistent Threat Group, reportedly attempted to hack into the systems of the World Health Organization (WHO) earlier this month.
The perpetrators and their precise motive are unknown, although, according to a Reuters report it is suspected the actor is DarkHotel, a well-established APT group that is allegedly tied to Korea.
The WHO’s CISO Flavio Aggio reportedly told Reuters that there has been a significant increase in hacking attempts against the health agency amidst the coronavirus pandemic; however, fortunately, this particular incident was not successful.
Alexander Urbelis, a cyber-expert with Blackstone Law Group, first detected the malicious activity, after observing the hackers put up a malicious website that impersonated the WHO’s internal email system.
Later, Aggio reportedly confirmed that the false website had been used in an attempt to steal passwords from members of the agency’s workforce. Costin Raiu, head of global research and analysis at Kaspersky, reportedly observed that the same web infrastructure has been recently used to target other health care as well as humanitarian organisations.
Strange Anti-Virus Scam Spreads RAT
In one of the most perculiar Covid-19 cyber-plots, malicious actors set up a scam website that advertises a phony digital anti-virus solution. Then people download it on their computers to supposedly protect them from the coronavirus.
Routers Hijacking that leads to Fake Covid-19 App Alert
Malicious actors are reportedly hijacking home routers and changing their DNS configurations in order to redirect Windows computer users to malicious content, in the form of a fake WHO alert. Victims of this have observed their web browsers opening by themselves and displaying a phony message that instructs them to download a supposed Covid-19 information app called “Emergency – Covid-19 Informator” or “Covid-19 Inform App.” In reality, however, this app is actually the information-stealing malware known as Oksi.
Oksi is capable of stealing browser-based data — including cookies, internet history and payment information — as well as saved login credentials, cryptocurrency wallets, text files, browser form autofill information and Authy 2FA authenticator databases.
Not known how the attackers have been compromising the affected routers — including D-Link and Linksys — Some victims supposedly left their remote access capabilities open, and also probably used weak passwords.
“This attack highlights the need for people to make sure they change the default username/password for their home router, as a number of the affected users admitted having a weak or default combination,” suggested Laurence Pitt, global security strategy director at Juniper Networks. Most internet providers today provide routers that have a good strength default security setup. This attack has targeted one certain brand of router & would also indicate that users have left the default admin/password combination to access the device.”
Bleeping Computer mentions that the website redirect happens when compromised Windows machines utilise their built-in “Network Connectivity Status Indicator (NCSI)” feature to check for internet connectivity. Instead of resolving to the correct Microsoft IP address to perform this check, the servers send the user to a hacker-controlled site that displays the alert.
Users whose browsers are exhibiting this strange behaviour should reconfigure routers so that they automatically receive their DNS servers from the ISP.
Although mainly a home router issue, Justin Jett, director of audit and compliance at Plixer, said that companies must be mindful of the threat too, because millions of business employees are currently working from home to reduce their exposure to the coronavirus.
“…Organisations should be sure to have a good VPN infrastructure for remote workers to connect to,” it was explained. “This will provide employees using company laptops to securely connect to the corporate network without using the internal home network’s DNS settings.” “Be sure to have network traffic analytics configured in the network to monitor connections from remote workers that may have been affected by home network malware,” Jett then added. “This will help network and security teams identify where malware is present.”
The website, antivirus-covid19 site, makes an odd claim. “Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.” Some people appear to be fooled by this.
Downloading this program really infects users with the BlackNET remote access trojan. BlackNET gives various capabilities to attackers, who then can launch DDoS attacks, take screenshots, perform key logging, steal saved passwords and Firefox cookies, steal from Bitcoin folders, execute bad scripts and other nasty things.
Ginp banking trojan new ‘Coronavirus Finder’ scam
A newer version of the Ginp banking trojan – well known for infected Android device users, which then trick them into giving away their credit card information – has the ability to send its victims new bait newly inspired by the coronavirus pandemic.
Kaspersky recently reported that Ginp can now receive a command that opens up a fake web page, “Coronavirus Finder” that purports to show users who is infected with Covid-19 locally. Here’s the catch: users must pay with their credit card information in order to receive this supposedly vital information.
“Once you fill in your credit card data, it goes directly to the criminals… and nothing else happens,” states the blog post from Kasperksy Malware Analyst Alexander Eremin. “They don’t even charge you this small sum (they have all the funds from the card at their command?). And of course, they don’t show you any information about people infected with coronavirus near you, because they don’t have any.”
Ginp largely infects Android devices owners based in Spain, but Kaspersky theorises that this latest version of the malware could potentially be used in a more geographically dispersed campaign. “…[T]his is a new version of Ginp that is tagged ‘flash-2,’ while previous versions were tagged ‘flash-es12,’ Eremin states in the Kaspersky blog post. “Maybe the lack of ‘es’ in the tag of the newer version means that cyber-criminals plan to expand the campaign beyond Spain,” the report concludes.