Editorial n°19 – The latest on the Coronavirus outbreak

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • to identify the biggest threats to computer systems;
  • to share the resources and tools necessary to grasp and prevent ISS risks;
  • to highlight the best digital practices to adopt in the face of this crisis.

The first newsletter is available at this address in french: COVID-19 : VEILLE CYBERSÉCURITÉ #1, and in english : COVID CYBERSECURITY WATCH #1.

The Coronavirus – scientifically referred to as Covid-19 – was spotted for the first time in the province of Wuhan, China. The outbreak has since spread like wildfire across 27 countries. In addition to a rate of infection unseen since the Spanish flu episode of the last century, the virus has hit the global economy with the same force as the 2008 financial crisis. Markets around the world are collapsing, dragging with them every economic sectors. The health sector especially is in a situation of chaos due to the massive influx of patients requiring respiratory assistance, and the lack of equipment to treat the virus – masks, ventilators and intensive care equipment. Drastic measures have been taken by states that are closing their borders and ordering their citizens to stay at home. As a result, we see an increase in digital activity as social networks become our sole means of communications and remote working takes over our daily commuting. 

These factors converge to create an environment particularly conducive to cyberattacks: the spread of the virus comes hand-in-hand with the proliferation of attacks taking advantage of the coronavirus crisis. The months of February and March saw a number of incidents in the cyber world, including:

  • Cyberattacks targeting hospitals;
  • Financial extortion through large-scale scams (fake certificates of exemption, and sale of masks/alcoholic gels);
  • The strengthening of the Chinese and Israeli surveillance systems in response to the epidemic;
  • Large-scale cyber-intelligence operations targeting state systems.

digital.security‘s research team will, in the following weeks, publish a weekly, open-access newsletter dedicated to the evolution and impact of the virus on our online and daily lives. The purpose of this reporting is to identify threats to IT systems, while sharing resources and best practices to be adopted in order to understand ISS risks. In order to be as exhaustive as possible, the coverage will be divided into several categories, and will deal with:

  • Threats (malware campaigns, phishing, cyberattacks);
  • Fraud (disinformation, scams) disseminated on the web;
  • Resources available to tackle the health crisis;
  • Any other cybersecurity-related news of Covid-19.

In the first bulletin published the week of March 16 2020, we reported, amongst others, an attack on the US Department of Health in the midst of the health crisis, supposedly by a foreign state actor. The cyberattack was aimed at compromising the computer systems of  the U.S. Health and Human Services Department and spread fakenews about government measures against Covid-19. The attackers sought to paralyse the HHS servers by overloading  them with millions of hits within a few hours. In an official statement, the department secretary guaranteed that the attack had failed to critically affect the systems’ functioning. However, the attackers were also responsible for spreading a disinformation campaign that suggests that the country is to be quarantined for two weeks.

Yet, the most lucrative activity seems to be phishing still, on the rise since the beginning of the crisis. It is indeed easier to be fooled by an e-mail imitating the official statement of a health authority to near perfection. A research carried by Recorded Future has shown that the multiplication of domain names related to the pandemic is indicative of the proliferation of actors taking advantage of the general panic to launch mass cyberattacks. At the beginning of March, the number of domain names linked to COVID-19 rose to 800. Live tracking of these domains’ creation is also available from a dashboard created for this purpose at https://1984.sh/covid19-domains-feed.txt.

Among the main phishing campaigns spotted since January is AZORult, an e-mail distributed malware targetting the transport, industrial and financial sectors etc. in the form of a roadmap dictating by sector-procedures to follow to deal with the crisis. Downloading the attached files leads to the exploitation of Microsoft Office’s CVE-2017-11882 vulnerability, which allows attackers to run arbitrary code on infected machines and install “AZORult. “, a data-stealing malware.

IBM X-Force has also identified a chain of compromised emails in Japan as the country adopts coronavirus-compliant measures. These e-mails, which are supposed to circulate information about the situation, actually contain Word files carrying a VBA macro, which triggers the installation of a PowerShell script and then downloads the Emotet Trojan.

Fraud also lurks in press releases that one might almost believe to be official, which in reality use those produced by the WHO or the U.S. Centre for Disease Control to deceive its targets. In some cases, the attack aims to obtain the victims’ data using a fake log-in page, in others it encourages them to donate Bitcoin to hospitals.

Don’t let your guard down! The bulletin is available on our website IoT Security Watch and offers live coverage of any cybersecurity-related incidents linked to Covid-19.