COVID-19: CYBERSECURITY WATCH #1 – March 20th, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Threats

Attack: Corona-virus-Map.com.exe
Method: AZoRult Malware Model
Exposed surface: Map that shows the spread of the virus in real time.
Publication date: March 3rd, 2020
Description: This malware targets visitors looking for a live-tracking map of COVID-19 propagation to steal passwords and other personal data.
Link(s): https://blog.reasonsecurity.com/wp-content/uploads/2020/03/Threat-Analysis-Report-Corona-Virus-as-a-Malware.pdf

 

Attack: False political statements about the number of infections
Attackers: Potentially the TEMP.Hex group.
Method: Malware SOGU and COBALSTRIKE and use of “POISONIVY” backdoor
Targets: Vietnam, Philippines, Taiwan, Mongolia
Publication date: March 12th, 2020
Description: Mailing of malicious attachments containing information on cases of COVID-19 contamination.
Link(s): https://www.technologyreview.com/s/615346/chinese-hackers-and-others-are-exploiting-coronavirus-fears-for-cyberespionage/
https://www.globalsecuritymag.fr/FireEye-constate-une,20200313,96630.html

 

Attack: Malware on Microsoft office
Method: Malware, phishing, backdoor
Exposed surface: Microsoft Office
Publication date: February 20th, 2020
Description: Publication of a three-page Microsoft Office document on the topic of coronavirus, supposedly coming from the Public Health Centre of the Ukrainian Ministry of Health.
Link(s)https://media.cert.europa.eu/static/MEMO/2020/TLP-WHITE-CERT-EU-THREAT-ALERT-Coronavirus-cyber-exploitation.pdf

 

Attack: “CovidLock”
Method: Ransomware
Leading surface: Android application
Publication date: March 8th, 2020
Description: The (coronavirusapp[.]site) claims to provide a COVID-19 outbreak tracking application for Android smartphones and then propagated ransomware that forced the victim to change their phone password to finally access the phone’s content.
Link(s)https://www.domaintools.com/resources/blog/covidlock-mobile-coronavirus-tracking-app-coughs-up-ransomware
https://www.hackread.com/coronavirus-tracking-app-ransomware-scam-locks-phones-ransom/

 

Attack: Cyberattack paralyzes US Department of Health and Human Services computer systems in the midst of health crisis
Method: Ransomware
Target: U.S. Department of Health and Human Services
Publication date: March 16th, 2020
Description: The U.S. Health and Human Services Department suspects that a foreign state is behind an attack on its computer systems, as well as the publication of fake news concerning government actions to deal with the spread of the coronavirus.
Link(s): https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response

 

Attack: Fake official WHO statement hides phishing campaign
Method: Phishing
Target: Messaging
Date of publication: February 5th, 2020
Description: Attackers posing as the World Health Organization are taking advantage of COVID-19 to lure victims through emails containing a link to a site imitating the official, in order to steal sensitive credentials.
Link(s): https://www.who.int/about/communications/cyber-security

 

Attack: Hackers trap companies under the guise of Covid-19 preventions
Method: Phishing
Target: Transport industry, manufacturing and banking sector
Publication date: February 10th, 2020
Description: Malware hidden in an email entitled “Coronavirus – Guidelines for the Transportation Industry” exploits Microsoft Office’s CVE-2017-11882 vulnerability to extract sensitive data from infected machines by installing AZORult malware.
Link(s): https://www.cyberscoop.com/coronavirus-phishing-emails-proofpoint-research/

 

Attack: Phishing exploiting preventive measures against the virus
Method: Phishing & malwares Emotet, Trickbot, Formbook
Target: Messaging
Publication date: March 13rd, 2020
Description: Research published by F-Secure highlights the exponential growth of phishing cyberattacks (using the Emotet, Trickbot, Formbook malware) exploiting public concerns about COVID-19 through prevention emails or surgical mask purchases.
Link(s) : https://blog.f-secure.com/coronavirus-email-attacks-evolving-as-outbreak-spreads/

 

Fraud

Attack: Coronavirus-related financial extortion on the darknet
Method: Scams
Surface /Applications: Darknet
Publication date: March 12th, 2020
Description: Census of several frauds: false vaccinations, mask sales, hydro alcoholic solutions…
Link(s): https://www.darkowl.com/blog-content/coronavirus-on-the-darknet

 

Attack: The sale of fake travel documents is on the rise on the Internet
Method: Scams
Surface/Applications: Fraudulent internet websites
Publication date: March 17th, 2020
Description: Following the announcements of the President of the French Republic, relating to the general confinement of the population, several sites claimed to sell unlimited moving attestations at 5, 10 or 100€.
Link(s): https://www.zataz.com/non-lattestation-de-deplacement-derogatoire-ne-coute-pas-5-10-ou-100e/

 

Useful Resources

Type of resource: MISP Dashboard
Application area: MISP
Date of Publication: ND
Description: Dashboard to follow the evolution of the virus live.
Link(s): https://t.co/64bWDpZAKr?amp=1
https://twitter.com/MISPProject/status/1239864641993551873?s=03

 

Type of resource: List of registered domain names (NDD) linked to the name of the virus
Publication date: March 14th, 2020
Description: This list records all domain names registered in connection with the virus (updated every minute).
Link(s)https://twitter.com/dustyfresh/status/1238925029057925122
https://1984.sh/covid19-domains-feed.txt

 

Type of resource: SANS Security Awareness publishes a free kit to secure teleworking
Target
: Employees working remotely
Date of Publication: ND
Description: A kit for businesses listing the security procedures that apply to remote working and a roadmap for individuals.
Link(s)https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit

 

Type of resource: Referencing video consultation and monitoring solutions for the management of patients with Covid-19.
Target: Doctors, nurses and caregivers.
Publication date: March 18th, 2020
Description: Reference table to help caregivers choose a remote working solution with, for each one, the proposed functionalities and the level of security guaranteed. The security editors drew up this list themselves.
Link(s): https://esante.gouv.fr/actualites/solutions-teleconsultation

 

Other news

Country: China
Topic
: Chinese company modifies its AI to recognize citizens wearing masks
Publication date: March 11th, 2020
Description: The widespread use of surgical masks in China in the face of the COVID-19 outbreak is causing problems for the facial recognition software used by the state; one company is said to have trained its AI to remedy this.
Link(s): https://qz.com/1803737/chinas-facial-recognition-tech-can-crack-masked-faces-amid-coronavirus/

 

Country: Israel
Topic: Electronic mass surveillance to contain COVID-19
Publication date: March 17th, 2020
Description: The Israeli government has authorized the Israeli Internal Intelligence Service to use mass surveillance methods and tracking of the location of infected people’s mobile phones without prior judicial authorization.
Link(s): https://www.lemonde.fr/international/article/2020/03/17/israel-approuve-des-methodes-de-surveillance-electronique-de-masse-contre-le-coronavirus_6033390_3210.html