Share this article on:
The World Health Organization (WHO) and its partners have been targeted by a sophisticated group of hackers who attempted to steal login credentials to gain access to its network by impersonating WHO’s internal email system. Spear phishing emails were sent to several WHO staffers that included links to a malicious website hosting a phishing kit.
The attack was detected on March 13 by cybersecurity expert, Alexander Urbelis, an attorney with New York-based Blackstone Law Group. The malicious website used to host the fake WHO login page had previously been used in other attacks on WHO employees.
It is unclear who was responsible for the campaign, but it is believed to be a South Korea-based threat group called DarkHotel. The aims of the attackers are not known, although Urbelis suggests the highly targeted nature of the attack, suggests the attackers were looking for specific credentials. DarkHotel has previously conducted several attacks in East Asia for espionage purposes. It is possible that the hackers were trying to gain access to information about possible treatments, potential cures, or vaccines for COVID-19.
The story was first reported by Reuters, which contacted WHO CISO, Flavio Aggio for further information. Aggio said the campaign was not successful and no data was harvested by the attackers. Aggio confirmed that there has been a large increase in incidents targeting WHO in recent weeks. WHO has been impersonated in several phishing campaigns that attempt to steal credentials and spread malware. According to Aggio, attacks targeting and impersonating WHO have more than doubled during the coronavirus pandemic.
Phishers Abuse Open Redirect on HHS Website to Deliver Racoon Information Stealer
Phishers have been discovered to be abusing an open redirect on the HHS.gov website to send individuals to a phishing webpage.
Open redirects are used on websites to redirect visitors to other webpages. Open redirects can be used by anyone and are often abused by cybercriminals in phishing campaigns. URLs start with the official website of the site hosting the open redirect, so individuals checking the link may be fooled into thinking they are navigating to a legitimate website. They will be initially, but the final destination is a phishing webpage.
The email used a COVID-19 lure and provided information about the coronavirus and included a link with the text “Find and research your medical symptoms.”
The open redirect was discovered by security analyst @SecSome on a subdomain of the Departmental Contracts Information System. It was used to link to a malicious attachment that included a lnk file that unpacks a VBS script that downloads the Racoon information stealer. The Racoon information stealer is capable of stealing credentials and sensitive data from around 60 different applications.
Maze Ransomware Gang Attacks UK COVID-19 Research Firm
The Maze ransomware gang has attacked the UK vaccine research firm Hammersmith Medicines Research (HMR) and succeeded in encrypting files and stealing sensitive data. HMR has previously developed a vaccine for Ebola and performs early clinical trials. The company is also reportedly working on a vaccine for the 2019 Novel Coronavirus.
The ransomware attack occurred on March 14, 2020, prior to the press release from the Maze ransomware gang stating they would not be attacking healthcare organizations during the COVID-19 crisis. HMR detected the attack quickly and managed to block the attack, avoid downtime, and restore data the same day without having to pay the ransom. As is typical of the gang, when the ransom is not paid, sensitive data is published online to pressure victims into paying the ransom.
The published information has since been taken down but included sensitive information about past patients and employees. According to HMR, the data related to around 2,300 patients and was between 8 and 20 years old. It included passport copies, national insurance numbers, driver’s license copies, and sensitive personal and medical information. HMR said it has no intention of paying the ransom and does not have the money available to do so. The Maze gang has since taken the data offline.