An innovative team of hackers targeted the World Health Organization (WHO) and its associates trying to steal login information to obtain access to its network by faking WHO’s internal email system. A number of WHO staffers got spear-phishing messages that contained hyperlinks to a malicious web page having a phishing kit.
Cybersecurity specialist Alexander Urbelis discovered the spear-phishing attack on March 13. Urbelis is at the same time a lawyer with Blackstone Law Group centered in New York. The malicious webpage utilized to host the phony WHO login page was employed in other attacks on WHO personnel in the past.
It is unsure who was to blame for the campaign, nevertheless, it is thought to be a threat group referred to as DarkHotel located in South Korea. The objectives of the attackers are not understood, though Urbelis believes that taking into account the extremely focused nature of the attack, the attackers were on the lookout for specific information. DarkHotel has in the past performed a few attacks in East Asia for surveillance purposes. It’s probable that the hackers were seeking to obtain access to data concerning potential solutions, likely remedies, or vaccines for COVID-19.
Reuters was the earliest to tell about the story and reached out to WHO CISO, Flavio Aggio for additional facts. Aggio mentioned the campaign did not succeed and the attackers were not able to gather any information. Aggio validated the big increase in occurrences of targeting WHO in the past weeks. WHO was faked in a number of phishing campaigns that make an effort to steal information and pass on malware. Aggio reported that attacks directed at impersonating WHO have gone up more than twice throughout the coronavirus outbreak.
Phishers Take Advantage of Open Redirect on HHS Webpage to Deploy Racoon Information Stealer
Phishers were identified to be taking advantage of an open redirect on the HHS site to redirect people to a phishing web page.
Open redirects are utilized on sites to direct visitors to a different site. Open redirects could be employed by any person and are quite often used by cybercriminals for their phishing activities. Links begin with the official web page of the site having the open redirect, therefore persons checking out the web page link may be misled into believing they are going to a reputable website. They are in the beginning, however, the end destination is a phishing site.
The email employed a COVID-19 trick and gave facts regarding the coronavirus and enclosed a URL with the words “Find and lookup your health-related symptoms.”
Security analyst @SecSome identified the open redirect on a Departmental Contracts Information System subdomain. It was utilized to connect to a malicious file that contained an lnk file which executes a VBS script to install the Racoon information stealer. Stealing of credentials and sensitive details from 60 various applications is doable with the Racoon information stealer.