In Part II of our three-part series (Part I, II, and III ) on hackers trying to effect maximum damage during the coronavirus pandemic, we take a look at how hackers exploit security flaws to hold system users to ransom.
Microsoft Windows a sitting duck?
According to Wired.com, every version of Windows has a security flaw that attackers discovered before Microsoft did, and the company acknowledged that the flaws have been so far ‘selectively exploited.’ In this case, the Windows Adobe Type Manager Library handles a specially crafted font, and a successful hacker can use it to achieve remote code execution. Microsoft has been quick to note the glaring vulnerability and has issued an advisory on this issue. Microsoft warns that there are two Remote Code Execution (RCE) flaws rated critical in the library that can be exploited in several ways. The advisory states, a hacker could convince a user to open a specially crafted document or just view it in the File Explorer preview pane. The RCE flaws are in the way Windows handles a specially crafted multi-master font. The Adobe Type Manager library is built-in to Windows and it is used to render PostScript Type1 fonts. Microsoft says that all currently supported versions of Windows are affected and that it is currently working on a fix. Windows 7, which recently reached end-of-life, is also affected.
Microsoft says that they are working on a patch and in the interim disabling the WebClient service can protect Windows by blocking what it thinks is the most likely remote attack vector for the vulnerability.
Hungry for news? You could be a ready target!
Operation Poisoned News as the name suggests is malicious software that targets iOS users in Hong Kong who are looking for news or updates on the raging coronavirus pandemic. The attackers target users by posting malicious links on news websites and discussion forums which further lead users to news pages containing a hidden iframe that deploys a code, which, in turn, compromises the unsuspecting victims’ phones. The attack is called a watering-hole attack. It affects iPhone 6S through the iPhone X, although a recent Safari update patches the flaw that the hackers are taking advantage of.
Tech news website Cnet.com says hackers are using keywords like ‘coronavirus’ or ‘COVID-19’ to attract their targets in large numbers. Security firm Zscaler has reported nearly 20,000 unique phishing attacks. The modus operandi of hackers is simple, users are tricked into entering sensitive information like passwords or credit card numbers. More than 7,000 incidents were found in which victims were tricked into starting a download of malware, all of which had a direct reference to the COVID-19 pandemic.
Substantial increase in malware attacks
Hackers are trying to gain access to banking details and steal sensitive financial information or professional data of companies. Unsurprisingly the attacks seem to originate from China, North Korea, and even Russia. Security firm Malwarebytes has said that the profile of these hackers is diverse. While some appear to be state-sponsored attackers, there are also non-state actors and petty cybercriminals waiting to get a share of the pie.
An example of such an attack is a malicious spam email that claims to have vital information from the World Health Organization (WHO) on protecting children and businesses from the virus. When downloaded, the file loads malicious software that can steal web browsing data and track everything that its victims’ type.
That’s not all. There’s an application that claims to show users whether someone infected with the novel coronavirus was nearby. Although it sounds very informative, what the app did was infect users’ phones with ransomware. Some hackers went ahead to find out the unsuspecting users’ geographical location in real-time through the ransomware.
MBR-rewriting malware
One of the most sophisticated and effective categories of viruses is the boot sector virus that infects the Master Boot Record (MBR) of hard disks. The infected code runs when the system is booted from an infected disk, but once loaded it will infect other floppy disks when accessed in the infected computer. There are programs known as ‘bootkits’ that write their code to the MBR as a means of loading early in the boot process and then concealing the actions of malware running under Windows. However, they are not designed to infect removable media.
Security firm Kaspersky says that Boot sector computer viruses are most commonly spread using physical media. An infected floppy disk or USB drive connected to a computer will transfer when the drive’s VBR is read, then modify or replace the existing boot code. The next time a user tries to boot his desktop, the virus will be loaded and run immediately as part of the master boot record. It’s also possible for email attachments to contain boot virus code. If opened, these attachments infect the host computer and may contain instructions to send out further batches of email to a user’s contact list. Removing a boot sector virus can be difficult because it may encrypt the boot sector. In many cases, users may not even be aware they have been infected with a virus until they run an antivirus protection program or malware scan.
Modus operandi of MBR-rewriting malware
The MBR-rewriting malware uses the name COVID-19.exe and infects computers in 2 stages. The first stage shows a window that refuses to be closed as it has already disabled the Windows Task Manager. While users try to deal with the window, the malware rewrites the computer’s MBR and restarts the system allowing the new MBR to start its ominous work.
According to the tech website ZDNet, a second coronavirus-themed malware strain posed as the Coronavirus ransomware which stole passwords from an infected host. The malware afterward prevents access to computers and see ransom notes on their screens. In the meanwhile, the virus steals all passwords and login information of applications that are synced with the infected computer and mobile phones.
In Part III of this article , we tell you how hackers are targeting the healthcare facilities and research laboratories that are at the forefront in the battle against coronavirus. To know more about Security trends, you can download our latest whitepapers on Security