How Incident Response Teams Survived COVID-19

Let’s face it – 2020 is a year most of us will want to forget. With the increased number of targeted cyber-attacks, for Digital Forensics and Incident Response (DFIR) teams around the world it has been busier than ever.

Threat actors are taking advantage of gaps in security, brought about by hastily created remote access solutions and general oversights, caused as a result of staff working from home or technical staff being furloughed.

When COVID-19 started rapidly spreading at the beginning of the year there was a real sense of panic, with death tolls rising swiftly, coupled with a lack of both PPE and testing in place. During this period there was also a huge rise in the number of targeted attacks against hospitals and other frontline organizations trying to fight and treat the disease.

As an Incident Response team, we all felt helpless at the start of the pandemic and wanted to help in any way we could. So how can a team of highly-trained and skilled incident responders support the fight against COVID-19?

In our case, we petitioned our Executive Management team with an option to provide Incident Response support, at no additional cost, to any frontline hospital or healthcare organization directly supporting the COVID-19 response. As a result of this, our team was extremely busy triaging various incidents throughout the summer for hospitals around the globe. In this blog, I hope to give an overview of the trends we saw during that period.


It should be no surprise to readers here that the number of any other attack type was dwarfed by the quantity of ransomware incidents seen. This is despite Maze and other ransomware hacking groups’ assurance they wouldn’t attack hospitals.

Almost immediately after making the statement, the hacking group, Maze, attacked a British research company that was preparing to conduct trials of a COVID-19 vaccine. The hackers released thousands of stolen, personal medical records – after the company, which stated it lacked funds to pay a ransom, refused to pay.

The method of delivering the ransomware was also changing. Traditionally phishing has always been the number one path for attackers to exploit an unsuspecting organization’s users, and whilst this was still the case, we also saw a trend of attackers seeking to exploit VPN and RDP (remote desktop protocol) entry points.

Whilst most of the hospital cases the teams worked on were not exploited in this way, many other industries, who had rapidly installed remote working capabilities as national lockdowns came into force, were targeted like this.

Another example of a technique used by attackers to spread their ransomware was seen in a case where a hospital’s entire network of endpoints and servers was compromised with RYUK ransomware, via a batch file distributed by the hospital’s own IT department System Centre Configuration Manager (SCCM). The SCCM admin account was brute force attacked by an internal IP and used to distribute the batch file that downloaded the ransomware payload.

Off the shelf penetration testing tools such as Cobalt Strike have been seen regularly as attackers seek to steal credentials and maintain presence. Attackers are also deploying ‘living off the land’ techniques such as PowerShell and Windows Management Instrumentation (WMI), to both move laterally and to reduce their risk of exposure until triggering their attack.

CMS Attacks

There has been a growing trend in Content Management Systems (CMS) in the last year or two with 20 percent of all attacks seen carried out against WordPress, Joomla!, Drupal, and noneCMS. In one such case we saw a children’s hospital charity site taken over by an attacker who defaced the back end of the system to route all charitable donations to the attacker’s accounts.

The team identified that the attacker utilized multiple well-known exploits associated with WordPress plugins and ultimately gained access to the hospital’s website infrastructure via the ThemeREX exploit (CVE-2020-10257).

The attacker had embedded additional website URL addresses onto the site to redirect the donations and installed links to a further malicious website aimed at compromising visitors to the hospital’s website with fraud spam and connections to adult websites.

APT Group Intelligence Gathering

During the height of the first wave of the pandemic, our Global Threat Intelligence Center (GTIC) observed advanced persistent threats (APTs), particularly those suspected to be backed by nation-states, focusing their intelligence-gathering efforts on COVID-19 research. Many nations have been attempting to get the upper hand on COVID-19 research – both for the health of their citizens, as well as for the monetization of a potential treatment or vaccine.

Unsurprisingly, APTs are targeting the healthcare industry heavily while it’s at its most vulnerable. This includes international organizations, research organizations, hospitals and even individual healthcare workers and first responders.

With winter fast approaching for those of us in the northern hemisphere, and most of us facing the second wave of the pandemic, what does the current threat landscape look like? A great many of the rollouts of remote access tools have now been patched and secured.

As with all IT systems, that is not the case for all. There is increased talk of vaccines nearing their sign off, with hospitals and other healthcare workers gearing up for a mass vaccination program, but here in the UK we are once more in a national lockdown. These same hospitals and healthcare teams are struggling once more under the numbers of COVID-19 cases and repeated attacks.

Unfortunately, no one knows exactly what the impact of COVID-19 will be for businesses in the coming months and years. As we all continue adjusting, at NTT Ltd. we have been planning for both short-term recovery and for the longer-term workplace of the future, supporting clients in the continuous move to the new normal.

What’s Hot on Infosecurity Magazine?