Threat actors continue to trade critical medical data in the Dark Web while organizations are involved in the response to the Covid-19 Pandemic, according to a recent article published in Security Affairs.

Cybercrime organizations continue to be very active while pharmaceutical organizations are involved in the development of a COVID-19 vaccine and medicines to cure the infections. 

Experts from Cyble discovered in several forums on the dark web, the offer for enormous repositories of critical medical that wee stolen from multiple organizations. 

Threat actors attempt to sell alleged confidential vaccine research and databases containing PII. 

“As COVID-19 continues to dominate headlines, confidential vaccine research data generates enough monetization opportunities for cybercriminals.” reads the post published by Cyble. “In addition to the COVID-19 databases containing confidential PII being leaked on the Internet, one of the critical security concerns is the immense cold chain logistics of the vaccine.”  

Recently, IBM warned of attacks against the COVID-19 vaccine cold chain that begun in September 2020. The experts uncovered a large scale spear-phishing campaign that has been ongoing since September 2020. Threat actors are impersonating a biomedical company, Haier Biomedical, and are sending out spear-phishing messages to executives and global organizations involved in vaccine storage and transport. Haier Biomedical is a legitimate member company of the COVID-19 vaccine supply chain, it is also a qualified supplier for the CCEOP program.

The phishing campaign hit global organizations with headquarters in Germany, Italy, South Korea, Czech Republic, greater Europe, and Taiwan. The attackers aim at harvesting account credentials to use in further attacks against the same organizations.

DHS CISA also issued an alert warning organizations working on the COVID-19 cold chain of targeted attacks carried out by nation-state actors.

More recently, experts from Cyble research observed new phishing emails with the subject posing as a Draft of Contract related to the CCEOP and Vaccine Program. Once again, this phishing email masquerades as communication from Haier Biomedical and is targeted at Kraeber & Co

The attackers attempt to trick victims into opening the malicious HTML attachment, then the victims are prompted to submit login credentials for viewing PDF content.

“Our research indicates a malicious ActiveX component that automatically runs in the background as soon as the user enables the document security control.” continues the report. “This type of ‘Precision Targeting’ involves advanced phishing attacks that are difficult to detect and takedown by security organizations.”

The ActiveX function in the HTML page allows sending the harvested credentials back to the attackers’ server via POST request. 

The threat actors could use the credentials to gain access to the targeted infrastructure and attempt to steal confidential information related to the COVID-19 vaccine research and delivery.  

Another interesting aspect of the Cyble research team is the discovery of multiple offers of vaccines in the dark web marketplaces.

While the first doses of the vaccine are provided to the UK and US citizens, multiple vendors on the darknet are already offering for sale doses of the Pfizer/BioNTech vaccine.

It is important to remind that the Pfizer vaccine must be kept at minus-70 degrees centigrade, this means that it cannot be shipped out in the post. At the time of this writing, it is unclear how the sellers are managing the doses and how they can ship them.

“This phishing campaign is a clear indication that threat actors are shifting their focus on the complex logistical network associated with the R&D and distribution of the vaccine value chain.” concludes Cyble.

Source: Security Affairs