Full Report
The McAfee Advanced Threat Research team today published the McAfee® Labs COVID-19 Threats Report, July 2020. In this “Special Edition”... The post McAfee COVID-19 Report Reveals Pandemic Threat Evolution appeared first on McAfee Blog.
Analysis Summary
The provided article is a high-level overview and promotional piece from McAfee detailing threat trends observed during the COVID-19 pandemic, rather than a report on a single, specific security incident. Therefore, many required timeline and impact fields will be inferred based on the general findings reported by McAfee during that period.
# Incident Report: COVID-19 Themed Threat Evolution Summary
## Executive Summary
This summary synthesizes the general threat landscape analyzed by McAfee during the COVID-19 pandemic period, revealing a significant surge in cyber activity leveraging global health concerns. Attackers utilized phishing, malware delivery via malicious documents, and fraudulent websites related to COVID-19 themes to achieve initial access and distribution. The primary impact centered on widespread user credential compromise, financial fraud, and the deployment of ransomware or banking Trojans across various sectors benefiting from remote work infrastructure.
## Incident Details
- **Discovery Date:** Ongoing analysis throughout the pandemic period (Specific dates not provided, as this is a generalized threat summary, not a single incident report).
- **Incident Date:** Primarily covering periods of peak COVID-19 related activity (e.g., 2020 - 2021).
- **Affected Organization:** Not applicable (This is a report on threat trends observed across the landscape).
- **Sector:** All sectors, specifically targeting healthcare, government, finance, and general populations adapting to remote work.
- **Geography:** Global.
## Timeline of Events
*Since this is a summary of threat evolution, the timeline describes the general progression of attacks observed:*
### Initial Access
- **Date/Time:** Phased, coinciding with major global announcements/lockdowns.
- **Vector:** Phishing emails, malvertising, and malicious websites capitalizing on COVID-19 urgency.
- **Details:** Use of lures such as stimulus checks, vaccine information, testing kits, or donation requests to trick users.
### Lateral Movement
- **Details:** Upon infection via malicious COVID-19 themed documents or installers, threat actors often deployed common payloads like Emotet, TrickBot, or custom backdoors, leading to credential harvesting and network reconnaissance.
### Data Exfiltration/Impact
- **Details:** Exfiltration focused on personal identifiable information (PII), financial data, and corporate intellectual property, often preceding ransomware deployment or direct access for online banking fraud.
### Detection & Response
- **How it was discovered:** Detection primarily occurred through proactive threat intelligence analysis (like McAfee's), endpoint detection and response (EDR) alerts on deployed malware, and user reports of suspicious activity/phishing.
- **Response actions taken:** Actions typically involved blocking known malicious URLs, updating antivirus signatures, and performing broad user education campaigns on phishing awareness.
## Attack Methodology
The report highlights the *theming* used by attackers rather than specific TTPs for a single campaign. Inferred TTPs based on standard pandemic-era threats:
- **Initial Access:** Phishing, Malicious Documents (LNK, DOCX/XLSX leveraging macros), Malvertising.
- **Persistence:** Installation of common loaders/banking Trojans (though specifics vary by campaign).
- **Privilege Escalation:** Standard Windows privilege escalation techniques following initial compromise, often leveraging outdated systems or vulnerable configurations.
- **Defense Evasion:** Obfuscation of malware payloads and using living-off-the-land binaries (LOLBins).
- **Credential Access:** Use of keyloggers or harvesting credentials from web browsers and password managers.
- **Discovery:** Standard network scanning and system enumeration utilizing native tools.
- **Lateral Movement:** Exploitation of RDP or leveraging harvested domain credentials using tools like Mimikatz or PsExec.
- **Collection:** Staging of sensitive documents and credentials.
- **Exfiltration:** Use of common protocols (HTTP/S, FTP) to stage and pull data out.
- **Impact:** Ransomware deployment, data theft for extortion, and financial credential theft.
## Impact Assessment
- **Financial:** High financial impact driven by ransomware payments, remediation costs, and losses from banking fraud.
- **Data Breach:** Widespread instances of PII/PHI compromise due to increased use of insecure home networks and successful credential harvesting.
- **Operational:** Moderate to severe disruption across organizations that experienced ransomware or suffered significant downtime due to phishing attacks successful in gaining network foothold.
- **Reputational:** Damage incurred by organizations that failed to adequately protect customer/employee data during the rapid shift to remote operations.
## Indicators of Compromise
*(Indicators are generalized based on common threats reported during the period. Specific, defanged indicators from the source article were not available.)*
- **Network indicators:** Communication with known C2 domains hosting COVID-themed infrastructure (Defanged examples: `hxxp://covid-update[.]net`, `hxxp://safe-testing-kit[.]biz`).
- **File indicators:** Hashes associated with common loaders and banking trojans distributed via COVID lures.
- **Behavioral indicators:** Unscheduled mass file encryption events, unexpected execution of PowerShell scripts post-document opening, and increased outbound traffic to non-standard external IPs.
## Response Actions
- **Containment:** Disconnecting infected endpoints, forcing password resets for potentially compromised accounts, and blocking associated malicious domains/IPs at the firewall/DNS level.
- **Eradication:** Complete removal of malware and backdoors, patching systems exploited during the influx of remote access.
- **Recovery:** Restoring systems from clean backups, enhancing multi-factor authentication (MFA) enforcement across remote access points.
## Lessons Learned
- The pandemic accelerated the convergence of urgent social engineering themes (like public health crises) with established cyber threat techniques, proving highly effective at achieving initial access.
- Security awareness training focusing specifically on high-urgency social engineering topics is crucial when widespread external events dominate user attention.
- The attack surface significantly expanded due to rapid, sometimes insecure, adoption of remote work infrastructure.
## Recommendations
1. Implement mandatory Multi-Factor Authentication (MFA) for all remote access vectors (VPN, cloud services, O365/G-Suite).
2. Augment endpoint defenses with advanced threat detection capabilities capable of identifying fileless malware or process injection associated with common loaders.
3. Conduct targeted security awareness campaigns mimicking current, high-urgency phishing lures (e.g., vaccine sign-ups, emergency payroll updates).