COVID-19: CYBERSECURITY WATCH #6 – April 23rd, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on a spear phishing campaign operated by the Gamaredon APT Group

Attack: Spear phishing campaign targeting government institutions of Ukraine
Method: Spear phishing
Target: E-mail
Publication date: April 17th, 2020
Link(s):
https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/

The Gamaredon group (an anagram of Armageddon) known for conducting APTs (Advanced Persistent Threats) in Ukraine is taking advantage of the global epidemic to take action.

A Trend Micro team discovered this new case through a spear phishing e-mail containing a Word file in docx format. The e-mail subject speaks for itself: “Coronavirus (2019-nCoV)”. Opening the document automatically downloads a Word template (in dot format) from the Internet: Read more here.

This new Word template contains the malicious macros that will be executed. Metadata were retrieved from it: the language used is Russian, the author of the document is “АДМИН” (Administrator in Russian) and the code page is Windows Cyrillic.

The execution of these macros leads to the creation and execution of the “PlayList.vbs” file whose content is hardcoded.

The first task of the VBS script consists in creating a registry key that will be executed at every boot of the infected machine:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\MediaPlayer wscript.exe //b USERPROFILE%\Documents\MediaPlayer\PlayList.vbs

Then, a file named “Cookie.txt”, whose content is encrypted by a simple XOR, is downloaded from Gamaredon’s servers. After a quick decryption, the file is saved as “Cookie.exe” for execution. These two files then self-destruct… until the next computer reboot.

The actions carried out by the malicious program depend on the habits of the attacking group, and the use of the Covid-19 theme in the conduct of APT, without being a huge surprise, is now well established.

 

Threats

Attack: The Dridex banking Trojan Horse is back in action since the start of the COVID-19 pandemic
Method: Phishing campaigns to implant a Trojan horse
Target: Individuals and businesses using Windows
Publication date: April 9th, 2020
Description: The recent increase in the use of Dridex relies on several phishing campaigns containing a malicious Excel file, which, once opened, installs the Trojan on the victim’s computer. It mainly targets the Windows platform to steal banking authentication credentials and facilitate fraudulent money transfers.
Link(s):
https://blog.checkpoint.com/2020/04/09/march-2020s-most-wanted-malware-dridex-banking-trojan-ranks-on-top-malware-list-for-first-time/

 

Attack: Microsoft puts Trickbot at the top of the list of malwares using COVID-19-related lures
Method: Phishing campaign
Target: Individuals and businesses
Publication date: April 17th, 2020
Description: The most recent phishing campaign relies on several hundred e-mails containing attachments with COVID-19-themed macros and advertising free screening tests. Once the computer is compromised, Trickbot carries on its attack by distributing malware such as Trojans or ransomware.
Link(s):
https://www.bleepingcomputer.com/news/security/microsoft-trickbot-in-hundreds-of-unique-covid-19-lures-per-week/?&web_view=true

 

Attack: COVID-19 malware campaign targeting industrial sectors in Azerbaijan
Method: Theft of confidential data/Malware
Target: Public and industrial sectors and wind power industries
Publication date: April 16th, 2020
Description: The government and energy sectors in Azerbaijan have been targeted by a new malware campaign with Remote Access Trojans (RATs). These are able to steal sensitive documents and webcam images. This malware targets mainly the energy sector.
Link(s):
https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html

 

Attack: Cyberattacks targeted two hospitals in the Czech Republic
Method: Spear-phishing campaign
Target: Information systems of two hospitals in the Czech Republic 
Publication date: April 17th, 2020
Description: The attack was prevented thanks to the National Cyber and Information Security Agency warnings. Both hospitals were able to take precautionary measures, including the creation of offline backups of their data. 
Link(s):
https://www.intellinews.com/czech-healthcare-sector-under-serious-cyber-attack-181407/

 

Attack: The malware CoronaLocker locks your computer screen and blocks certain Windows features
Method: Currently unknown
Target: Windows users
Publication date: April 21st, 2020
Description: A fake Wi-Fi hacking program spreads this malware. Once installed, the infected computer reboots and brings up a lock screen displaying an e-mail address and the message “you are infected with corona virus”. It is possible to override this lock screen, but the malware prevents the task manager from working and disables the “Start” menu.
Link(s):
https://www.bleepingcomputer.com/news/security/new-coronavirus-screenlocker-malware-is-extremely-annoying/

 

Attack: Malware campaign imitating Android applications with COVID-19 lures targets Syrians
Method: Identity theft / Malware
Target: Arabic-speaking users, Syrian regional area
Publication date: April 15th, 2020
Description: This campaign, active since January 2018, relies on imitations of nearly 70 Android applications related to the COVID-19. According to Lookout researchers, the fake applications originate from the same command and control server. Once installed, some of them can spread malware and establish surveillance of computers and smartphones.
Link(s):
https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures

 

Frauds

Attack: Spy campaign “Project Spy” under a fake application: “Coronavirus Updates”
Method: Spyware
Surface/Application: Android and iOS stations
Publication date: April 14th, 2020
Description: “Project Spy” uses the coronavirus pandemic to infect Android and iOS stations and collect confidential data (SMS, photos and call monitoring).
Link(s):
https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/

 

Attack: Facebook will alert users who have interacted with false information about COVID-19
Method: Sending informative messages
Surface/Application: Facebook
Publication date: April 16th, 2020
Description: Users who liked, reacted to or commented on misleading content related to COVID-19 will find in their news feed a message from Facebook linking to the WHO page that debunks rumors about the pandemic.
Link(s): https://about.fb.com/news/2020/04/covid-19-misinfo-update/

 

Attack: Phishing campaign for false financial claims to HMRC for UK companies
Method: Phishing
Surface/Application: E-mail
Publication date: April 20th, 2020
Description: The hackers have pretended to be an employee of Her Majesty’s Revenue and Customs and have invited the victims (company bosses) to ask for financial compensation because of the drop in activity due to COVID-19 and therefore to communicate their bank details.
Link(s):
https://www.infosecurity-magazine.com/news/hmrc-covid19-phishing-scam/

 

Attack: The German province of North Rhine-Westphalia lost tens of millions of euros as a result of a COVID-19-themed phishing campaign
Method: Fraudulent e-mails redirecting to an imitation of an official website
Surface/Application: Phishing campaign
Publication date: April 18th, 2020
Description: Once they created a copy of the official site, the cybercriminals carried out a phishing campaign redirecting companies and self-employed workers seeking financial aid to their fake site in order to collect their personal data. Then, they impersonated them in order to apply for aid from the government, while replacing the bank account information.
Link(s):
https://www.zdnet.com/article/german-government-might-have-lost-tens-of-millions-of-euros-in-covid-19-phishing-attack/

 

Attack: Internet Explorer false advertising claims to convey information about COVID-19
Method: Information theft
Surface/Application: Internet Explorer (obsolete version)
Publication date: April 17th, 2020
Description: This phishing campaign uses a kit called “Fallout” and exploits vulnerabilities in older versions of Internet Explorer by installing “Kpot v2.0” in order to steal sensitive data.
Link(s):
https://www.undernews.fr/alertes-securite/covid-19-une-campagne-de-publicite-malveillante-cible-les-utilisateurs-dinternet-explorer.html

 

Useful resources

Type of resources: Microsoft offers the anti-phishing AccountGuard to healthcare facilities Campaigns during the COVID-19 pandemic
Target: Healthcare facilities in 29 countries in North America and Europe
Publication date: April 15th, 2020
Description: Usually restricted to a small number of selected users, the AccountGuard phishing protection system offers its users additional security features for their e-mail accounts to detect fraudulent e-mails.
Link(s):
https://www.helpnetsecurity.com/2020/04/15/microsoft-accountguard-healthcare/

 

Type of resources: Waze will post COVID-19 related sites
Target: Population of 58 countries
Publication date: April 16th, 2020
Description: The Waze navigation service will add warnings and destinations related to COVID-19 such as medical test centers, collection points and street blocks.
Link(s):
https://datanews.levif.be/ict/actualite/waze-va-afficher-des-emplacements-lies-au-corona/article-news-1277847.html

 

Type of resources: Instagram works on an application to follow the COVID-19 spread
Target: Instagram users in the United States
Publication date: April 18th, 2020
Description: The two co-founders of Instagram have implemented the “Rt live” solution to follow the spread of the virus live. This application also provides a tracking dashboard by states and cities.
Link(s): https://techcrunch.com/2020/04/18/instagram-founders-rt-live/

 

Type of resources: French company Orange announced the development of its own contact tracing application to contain the COVID-19 outbreak
Target: Public health authorities
Publication date: April 20th, 2020
Description: Although the French authorities are working on developing their own contact tracing application called StopCovid, the solution proposed by Orange would provide more guarantees for the protection of personal data. According to Le Figaro, this prototype was developed in collaboration with other companies including Accenture, Dassault Systèmes and Sopra Steria. 
Link(s):
https://www.zdnet.fr/actualites/stopcovid-orange-developpe-sa-propre-application-pour-endiguer-l-epidemie-39902435.htm

 

Type of resources: European Commission launches an open source portal for sharing information on COVID-19
Target: Researchers and scientists
Publication date: April 20th, 2020
Description: This open source portal will allow scientists to access all data on the virus. It will include DNA sequences, protein structures and data from pre-clinical research.
Link(s):
https://techcrunch.com/2020/04/20/eu-data-portal-launches-to-support-covid-19-research/

 

Other News

Country: United Kingdom
Subject: The National Cyber Security Centre (NCSC) has launched a platform to report suspicious e-mails
Publication date: April 21st, 2020
Description: Given the increase in COVID-19-themed phishing campaigns, this new platform features an automatic scanner that analyzes the e-mails reported by British citizens. If an e-mail is considered fraudulent, the NCSC will shut down the websites linked to it.
Link(s):
https://www.infosecurity-magazine.com/news/government-covid19-scams-email/

 

Country: Canada
Subject: Implementation of free cybersecurity services for SMEs and health services by the Canadian Internet Registration Authority (CIRA)
Publication date: April 21st, 2020
Description: This initiative will help SMEs, medical services and non-profit organizations gain free access to CIRA’s DNS firewall until September 30, 2020. This project is designed to protect their network systems and prevent phishing attacks.
Link(s):
https://www.cisomag.com/cira-offers-free-cybersecurity-to-health-care-small-businesses-and-ngos-in-canada/

 

Country: United States
Subject: Pony.ai’s autonomous vehicles will deliver meals and groceries to confined people in California
Publication date: April 20th, 2020
Description: Microsoft has launched a chatbot to collect blood plasma from donors and inject it into patients with COVID-19
Link(s):
https://www.reuters.com/article/us-health-coronavirus-pony-ai/toyota-backed-pony-ai-to-offer-autonomous-delivery-service-in-california-idUSKBN21Y3GK

 

Country: United States
Subject: Plasmabot, Microsoft’s chatbot to recruit blood plasma donors
Publication date: April 20th, 2020
Description: Microsoft has launched a chatbot to collect blood plasma from donors and inject it into patients with COVID-19
Link(s):
https://www.mobihealthnews.com/news/microsoft-chatbot-helps-covid-19-survivors-determine-if-eligible-donate-plasma

 

Country: International
Subject: An artificial Intelligence developed by MIT predicts a new wave of contamination of COVID-19 at the end of lockdown.
Publication date: April 17th, 2020
Description: Based on publicly available data, epidemiological models and Deep Learning, this artificial intelligence is able to predict the spread of COVID-19. It is believed to be more effective than other predictive models because it also relies on an artificial neural network.
Link(s): https://www.lebigdata.fr/ia-mit-deconfinement-catastrophe

 

Country: Netherlands 
Subject: A contact tracing application to stop COVID-19 banned by the Dutch justice system
Publication date: April 20th, 2020
Description: The application was banned due to a data leak. The source files contained sensitive user data from another application.
Link(s):
https://www.dutchnews.nl/news/2020/04/major-data-leak-found-in-one-of-seven-potential-coronavirus-apps/

 

 

Back to the previous newsletters of CYBERSECURITY WATCH :
#1
#2 
#3
#4
#5