• About
  • Advertise
  • Careers
  • Contact
Sunday, April 2, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Security

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

by Cyber360 News
April 14, 2020
in Security
0
Crooks target Healthcare facilities involved in  Coronavirus containment with Ransomware
0
SHARES
1
VIEWS
Share on FacebookShare on Twitter

PaloAlto Networks experts warn of malicious Coronavirus themed phishing campaigns targeting government and medical organizations.

Experts from Paloalto Unit 42 published a report that analyzes the cross-section between the various types of Coronavirus-themed attacks aimed at organizations in different industries.

Recently organizations in healthcare, research, and government facilities have been hit by Coronavirus-themed attacks that deployed multiple malware families, including ransomware and information stealers (i.e. AgentTesla).

PaloAlto researchers cited ransomware attacks against a Canadian government healthcare organization and a Canadian medical research university, both attempting to exploit the ongoing pandemic.

Experts also observed Coronavirus-themed attacks spreading the infostealer variant (AgentTesla)against various other entities (e.g, a United States defense research entity, a Turkish government agency managing public works, several large technology and communications firms headquartered in Canada, Germany, and the United Kingdom, and medical organizations/medical research facilities located in Japan and Canada).

The attacks against the Canadian healthcare organizations were discovered between March 24 and March 26, they started with coronavirus-themed phishing campaigns that were carried out in the last months.

Attackers used a spoofed address mimicking the World Health Organization ([email protected][.]int) to send out the phishing messages, the emails were sent to a number of individuals working at healthcare organization actively involved in Coronavirus response efforts.

“Between March 24, 2020 at 18:25 UTC and March 26 at 11:54 UTC, Unit 42 observed several malicious emails sent from the spoofed address [email protected][.]int (actual sender IP address at the time of the attack was 176.223.133[.]91) to several individuals associated with a Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research.” reads the analysis published by PaloAlto Networks. “The emails all contained a malicious Rich Text Format (RTF) phishing lure with the file name 20200323-sitrep-63-covid-19.doc, which, when opened with a vulnerable application, attempted to deliver a ransomware payload using a known shared Microsoft component vulnerability, CVE-2012-0158.”

The messages use a weaponized rich text format (RTF) attachment that exploits the CVE-2012-0158 buffer overflow in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library.

Experts noticed that the name of the file employed in this campaign references the date March 23, 2020, and it was not updated over the course of the campaign.

Once executed, the ransomware binary contacts the C2 server to download an image that serves as the main ransomware infection notification displayed the victim’s device, then it gathers the host details and transmits it to the C2 to create a custom key to encrypt the files on the system’s desktop with a “.locked20” extension.

“Once the remote command and control (C2) server successfully receives the victim’s details, it then proceeds to create a custom key based on the username/hostname details and sends the key back to the infected host for further processing.” continues the analysis. “Once the key is received from the C2 server, the infected host then initiates an HTTP POST request to the resource www.tempinfo.96[.]lt/wras/savekey.php containing its hostname and the main decryption key for the host, which is, in itself, AES encrypted:”

Palo Alto Networks researchers determine that ransomware strain was EDA2 based, open-source ransomware that was initially created for educational purposes.

“The objective of this blog was to give a deeper understanding on some of the types of cybercrime campaigns being faced by multiple critical industries dealing with the urgent and critical response efforts of the COVID-19 pandemic. It is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.” concludes the report.

“While this blog specifically focused on two campaigns, Unit 42 is tracking multiple campaigns with COVID-19 themes being used by threat actors on a daily basis and this trend is likely going to continue for weeks to come.”

Pierluigi Paganini

(SecurityAffairs – Coronavirus-themed attacks, hacking)

[adrotate banner=”13″]



Share On


Cyber360 News

Cyber360 News

Next Post
The hacker forum is letting anyone download Quidd data.

The hacker forum is letting anyone download Quidd data.

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In