In response to malicious activity targeting COVID-19 research and vaccine development in the United States, United Kingdom (UK), and Canada, the National Security Agency (NSA) released a Joint Cybersecurity Advisory to expose the threat. A malicious cyber actor is using a variety of tools and techniques to target organizations involved in COVID-19 research and vaccine development. Tools include SOREFANG, WELLMESS, and WELLMAIL malware.
Review the Joint Cybersecurity Advisory and the following Malware Analysis Reports for more information and to apply the mitigations provided.
Details of Techniques Initial Infection Vectors
In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations.
The group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds. Examples include, but are not limited to:
- CVE-2019-19781 Citrix 
- CVE-2019-11510 Pulse Secure 
- CVE-2018-13379 FortiGate 
- CVE-2019-9670 Zimbra 
The group also uses spear-phishing to obtain authentication credentials to internet- accessible login pages for target organizations.