Search This Blog

Showing posts with label IBM X-Force. Show all posts

Threat Actors Target Covid-19 Vaccine Cold Chain Via Spear-Phishing Campaign

 

Cybercriminals are continuing to target the COVID-19 vaccine cold chain, the means of delivering and storing vaccines at safe temperatures, with spear-phishing campaigns that leverage pharma and biomedical lures, according to an updated IBM X-Force report. 

Threat actors are specifically targeting transportation, healthcare, IT, and electronics sectors. Researchers also discovered the attackers targeting government agencies and vendors that support public health entities, among other targets.

The latest research is an update of a December IBM X-Force report that shed light on widespread phishing tactics leveraged by cybercriminals against vaccine supply chain organizations and other healthcare sectors. IBM X-Force established a cyber task force at the beginning of the pandemic to track cyber threats targeting critical infrastructure organizations.

The global phishing campaign against cold storage supply chain members was first discovered in September, initially tied to Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. The threat actors masqueraded as biomedical executives and targeted enterprise leadership members in the IT, finance, sales, and procurement departments, who would likely be involved with vaccine cold chain efforts.

 The attackers sent the messages to multiple employees across the enterprise, with some messages purporting to be of help or support pages of the targeted enterprise. Instead, the messages contained malicious HTML attachments that opened locally on the devices and prompted victims to enter user credentials for access. This week’s update revealed the researchers have detected an additional 50 files tied to spear-phishing emails targeting at least 44 entities in 44 different countries, including the US and Canada. 

“The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage, and ultimate distribution of vaccines. Spear-phishing attempts were associated with multiple executive activities and other roles," researchers explained.

Particularly, the cybercriminals are targeting CEOs, purchasing managers, system administrators, presidents, heads of supply and logistics, finance directors, HR officers, and a host of other leaders within the enterprise organization. IBM researchers first noticed the latest phishing campaign directly following the publication of the previous report. The malicious email was addressed to a German pharmaceutical and bioscience solutions company working on vaccine production and associated activities. The target also appeared to be a client of one of the original targets detected in the initial campaign.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

IBM: Flags More Cyber Attacks on COVID-19 Vaccine Infrastructure

 

On Wednesday, IBM reported that its cyber-security unit has discovered more digital attacks targeting the global COVID-19 vaccine supply chain since the problem was first reported late last year. 

IBM Security X-Force has now revealed that the number of organizations affected has increased since the previous evaluation. A total of 44 organizations from 14 countries were singled out for attack. The targeted companies are key organizations involved in transportation, warehousing, storage, and distribution in Europe, North America, South America, Africa, and Asia. 

The threat actor began sending spear-phishing emails in early September 2020, before any COVID-19 vaccine variant was approved, in order to pre-position themselves in the evolving infrastructure. The emails requested quotes for the Cold Chain Equipment Optimization Platform (CCEOP) program and mentioned Haier Biomedical products used for storage and transportation of vaccines. 

IBM which has identified 50 files associated with the attacks, states the threat actor has excellent knowledge of the cold chain. Spear-phishing emails impersonating the executive from Chinese biomedical firm Haier Biomedical were extensively used in the attacks. 

IBM stated that “While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat.” 

The attacks used HTML files that included references to solar panel manufacturers and petrochemical companies. Around eight distinct organizations in the aviation, aerospace, shipping, and transportation services industries, as well as biomedical research, medical manufacturing, pharmaceuticals, and hygiene services, were hit by the attackers. Six companies in web-hosting, software creation, IT operations and outsourcing, and online platform provisioning were also affected. 

Government agencies (involved in the import/export of special products, transportation, and public health), as well as establishments in the refrigeration and metal manufacturing industries, were targeted, according to IBM. 

According to IBM security analysts, the attackers were attempting to gain access to the COVID-19 vaccine cold chain for espionage purposes, including information on national Advance Market Commitment (AMC) agreements, distribution timetables, collection or duplication of the electronic documents, and warehousing technical requirements. 

“While clear attribution remains presently unavailable, the rise of ‘vaccine nationalism’ and increased global competition surrounding access to vaccines suggests the higher likelihood of a nation-state operation,” IBM added.

IBM X-Force Publishes a List of Top 10 Cybersecurity Vulnerabilities of 2020

 

The severity of cyber-attacks has grown over the past year especially during the global pandemic. Threat actors are looking for unpatched issues or common vulnerabilities and exposures (CVEs) and are exploiting those vulnerabilities to gain initial access to a network. 

According to the 2021 X-Force Threat Intelligence Index, the list of the 10 most exploited susceptibilities of 2020 was dominated by older security issues, with just two out of the top 10 being spotted in 2020. Since 1988, the number of flaws discovered each year has followed a general upward trend with 17,992 new flaws discovered in 2020. 

 Top 10 CVEs exploited by threat actors 

IBM security X-force revealed a list of top 10 CVEs of 2020 based on how frequently threat actors exploited them. The list is based on both IBM X-Force incident response (IR) and IBM managed security services (MSS) data for 2020. Mostly, threat actors targeted common enterprise applications and open-source frameworks that many organizations use within their networks.

•CVE-2019-19871: Citrix Application Delivery Controller (ADC)
 
•CVE-2018-20062: NoneCMS ThinkPHP Remote Code Execution
 
•CVE-2006-1547: ActionForm in Apache Software Foundation (SAF) Struts
 
•CVE-2012-0391: ExceptionDelegator component in Apache Struts
 
•CVE-2014-6271: GNU Bash Command Injection
 
•CVE-2019-0708: ‘Bluekeep’ Microsoft Remote Desktop Services Remote Code Execution
 
•CVE-2020-8515: Draytek Vigor Command Injection
 
•CVE-2018-13382 and CVE-2018-13379: Improper Authorization and Path Traversal in Fortinet FortiOS
 
•CVE-2018-11776: Apache Struts Remote Code Execution
 
•CVE-2020-5722: HTTP: Grandstream UCM6200 SQL Injection 

How to manage the flaws and shield the network from CVEs? 

To patch the vulnerabilities or to protect the network from CVEs, you need to make hard decisions and require accounting for asset and data classification, business goals, risk, performance benchmarks, and much more. Some networks have sensitive machines and infrastructure that need rigorous testing to ensure nothing will fail when an update or patch is applied.

Three important techniques can be used to execute a robust patch-management program: 

(1). Organizations can use vulnerability management tools and crown jewel analysis to identify which assets are classified as critical to your organization, and which flaws are most likely to impact those assets. 

(2). Organizations can design a test environment that can assist in discovering the problems that may occur once a patch is installed in your enterprise environment.

(3). Companies should update their devices, operating systems, applications, versions, and cloud assets every quarter.