COVID-19: CYBERSECURITY WATCH #7 – April 30, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

 

Focus on a malicious GIF in Microsoft Teams

Attack: A malicious GIF behind a vulnerability in Microsoft Teams
Method: Data/Identity theft
Target: Microsoft Teams’ users (predominantly teleworking during the COVID-19 pandemic)
Publication date: 04/27/2020
Link(s):
https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/ 
https://www.bbc.com/news/technology-52415773 

Security researchers at CyberArk have discovered a security issue in the Microsoft Teams collaboration platform affecting both the desktop and web versions.

By exploiting a sub-domain takeover combined with a specially forged GIF sent to their victims, attackers could have taken control of the targeted Teams accounts. This illegitimate access would have made it possible to retrieve the confidential conversations of the targeted people but also to send messages to their various contacts, thus being able to spread rapidly and act like a worm.

The researchers were able to show that specific authentication information (including the skype token, used to access shared images and also for other uses) was sent to the teams.microsoft.com sub-domain but also to any other associated sub-domain (*.teams.microsoft.com). By using the access token and the skype token, it is possible to query the Teams API interfaces with user rights. It is thus possible to access the various functionalities offered by the API, including the ability to send messages, read them, create groups, add and delete new users, change permissions in groups, etc.

The second challenge was the need to control sub-domains *.teams.microsoft.com to retrieve access tokens. Researchers were able to achieve this by taking control of two domains (aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com) badly configured by Microsoft.

Finally, in order to retrieve the tokens belonging to a victim, the researchers used a GIF with a src attribute pointing to one of the controlled sub-domains. This allowed them to make their attack quite stealthy.

Microsoft teams were informed on March 23, 2020 and fixed the domain name issue on the same day. A security patch was deployed on April 20, 2020. 

 

Threats

Attack: Hackers linked to the Vietnamese government reportedly tried to access data from Chinese government agencies involved in the fight against the COVID-19 pandemic
Method: Spear-phishing campaign
Target: Personal and professional e-mail accounts of staff at China’s Ministry of Emergency Management and the Wuhan Government
Publication date: 04/22/2020
Description: According to the American firm FireEye, the hackers belong to the Vietnamese group APT32 and began their campaign in January 2020 to obtain information on China’s handling of the pandemic. Once opened, the attachments contained in the malicious e-mails spread the malware METALJACK, which allows hackers to extract data from the infected machine.
Link(s):
https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html

 

Attack: Critical security flaws in the videoconferencing tool Zoom
Method: Malware/Spyware
Target: Zoom users
Publication date: 04/22/2020
Description: In the current health crisis, videoconferences are on the rise on platforms such as Zoom. Morphisec’s “white hats” researchers have revealed security flaws on Zoom that allow hackers to voluntarily record videoconferencing sessions and access participants’ discussions. Zoom platform have been alerted by these researchers.
Link(s):
https://blog.morphisec.com/zoom-malware-can-record-meetings-attack-simulation-shows-how

 

Attack: Data from the Chinese company Huying Medical, known for its COVID-19 detection system based on artificial intelligence, is available on the darknet
Method: Currently unknown
Target: Huying Medical
Publication date: 04/27/2020
Description: The hacked data includes the personal information of several thousand users of this virus detection system, which has reportedly been deployed in 20 Chinese hospitals and 10 countries globally. They are on sale on the darknet for the sum of four bitcoins, representing approximately 30,800 dollars.
Link(s):
https://www.hackread.com/chinese-covid-19-detection-firm-hacked-dark-web/

 

Frauds

Attack: Hackers disguised as representatives from the World Health Organization to collect Bitcoin donations
Method: Fraudulent Emails/Phishing Campaign
Surface/Application: Mailbox
Publication date: 04/26/2020
Description: Hackers have launched a phishing campaign to incite victims to provide donations to the WHO in order to fight COVID-19 via the Bitcoin Network. These donations could be paid into two “wallets” accepting payments in Bitcoin and Bitcoin cash.
Link(s):
https://www.hackread.com/scammers-use-fake-who-bitcoin-wallet-steal-donation/

 

Attack: Nearly 25,000 e-mail addresses and passwords stolen from several organizations involved in the COVID-19 pandemic response
Method: Authentication credentials leakage
Target: The WHO, the Wuhan Institute of Virology, the National Institutes of Health (NIH), the Center for Disease Control and Prevention (CDC) and the Gates Foundation
Surface/Application: Pastebin, 4Chan, Twitter and Telegram
Publication date: 04/22/2020
Description: Only the WHO confirmed the leakage of 450 active e-mail addresses and passwords but stated that these data are old and do not expose its information systems to attacks. The Organization will nevertheless migrate the systems concerned to a more secure authentication system.  In addition, the data is reportedly being used by extreme right-wing activists to disseminate conspiracy theories relative to the COVID-19 pandemic.
Link(s):
https://www.washingtonpost.com/technology/2020/04/21/nearly-25000-email-addresses-passwords-allegedly-nih-who-gates-foundation-are-dumped-online/
https://www.who.int/news-room/detail/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance

 

Attack: Hackers posing as the U.S. Government Small Business Administration (SBA.gov) and infecting computers through attachments
Method: Phishing and malware Campaign
Surface/Application: SBA-funded US SME mailbox
Publication date: 04/27/2020
Description: Fraudulent e-mails mimicking SBA notifications on COVID-19 loan applications were sent to US SMEs. Once opened, the attachments contained in the malicious e-mails propagate the GuLoader malware downloader, providing the “Remcos” remote access tool.
Link(s):
https://securityintelligence.com/posts/sba-spoofed-in-covid-19-spam-to-deliver-remcos-rat/

 

Attack: Whilst several Russian cities are under lockdown due to the COVID-19 pandemic, cybercriminals are selling fake digital certificates for travel to Russian citizens
Method: Selling fraudulent documents
Surface/Application: Fraudulent websites, Telegram, Instagram and the Russian social network VK
Publication date: 04/27/2020
Description: The cybersecurity firm Group-IB assisted the Moscow Department of Information Technology to identify and shut down nearly half of the 126 platforms selling these forged documents at prices ranging from 38 to 65 dollars. Two suspects based in Moscow and its region were apprehended.
Link(s):
https://securityaffairs.co/wordpress/102375/cyber-crime/fake-passes-covid-19.html

 

Attack: Hackers create a fake official UK National Health Service (NHS) website and spread malicious software
Method: Trojan horse/Data Theft
Surface/Application: Mailbox
Publication date: 04/24/2020
Description: Hackers have created a fake official NHS website offering health advice to deal with COVID-19. The hackers tricked users into clicking on the links and downloading a file called “COVID-19” which is actually a Trojan horse capable of stealing information (passwords, banking information…).
Link(s):
https://www.hackread.com/hackers-setup-fake-nhs-website-spread-malware/

 

Useful resources

Type of resources: Sigfox launches a call for IoT projects to fight against COVID-19
Target: Industrialists and members of the IoT ecosystem
Publication date: 04/08/2020
Description: Sigfox, one of the world’s leading providers of services for the IoT is calling for projects to fight against COVID-19 through the Internet of Things. Sigfox is working to implement IoT solutions to save lives. Besides, Sigfox added that no connectivity fees would be charged for all new projects  addressing the coronavirus pandemic. For instance, sensors are used to track protective equipment and driverless connected shuttles to transport COVID-19 tests.
Link(s):
https://iottechnews.com/news/2020/apr/08/sigfox-letter-iot-projects-covid-19-connectivity-fees/

 

Type of resources: Given the growing use of videoconferencing tools since the beginning of the COVID-19 crisis, JDSupra provides Cyber hygiene practices to adopt
Target: Businesses and public administrations using videoconferencing tools
Publication date: 04/27/2020
Description: JDSupra recommends the following measures: On one hand, it is recommended to review the privacy policy of videoconferencing tool providers to ensure that they do not abuse their users’ data. On the other hand, protective measures should be imposed: avoid revealing confidential or personal information when sharing screens, establish a password for conference access and prohibit screen captures, disable cameras and private chat as much as possible and prohibit the use of pseudonyms that may conceal users’ identities.
Link(s):
https://www.jdsupra.com/legalnews/10-point-plan-to-protect-your-business-76238/

 

Type of resources: A chatbot dedicated to the patients follow-up at the Toulouse University Hospital Center
Target: Patients  at the Toulouse University Hospital Center
Publication date: 04/29/2020
Description: The Toulouse-based start-up Botdesign has developed a remote monitoring system for the Toulouse University Hospital Center. This chatbot is designed to detect risk situations for vulnerable patients confined to their homes.
Link(s):
https://www.usine-digitale.fr/article/covid-19-le-chu-de-toulouse-s-equipe-d-un-chatbot-pour-le-suivi-de-patients-a-distance.N958911

 

Other News

Country: France
Subject: The National Cybersecurity Agency of France (ANSSI) and French Data Protection Authority (CNIL) recommendations for the implementation of the French StopCovid application
Publication date: 04/27/2020
Description: The StopCovid application has previously experienced warnings from the CNIL and the ANSSI. A press release from the CNIL gives its endorsement, albeit under reservations regarding the transparency of its operating mode. In addition, the ANSSI has published its recommendations on the security measures to be adopted. 
Link(s):
https://www.cnetfrance.fr/news/stop-covid-la-cnil-dit-oui-mais-avec-beaucoup-de-reserves-39902837.htm
https://www.ssi.gouv.fr/uploads/2020/04/anssi-communique_presse-20200427-application_stopcovid.pdf

 

Country: Australia
Subject: Although 2 million Australians have downloaded the digital tracking application COVIDSafe, 10 million people need to use it in order to be effective.
Publication date: 04/27/2020
Description: Estimates suggest that 10 million people need to download and use the application regularly for it to be effective. However, the model of data centralization favored by the Australian government could put off many citizens concerned about the confidentiality of the data collected. In addition, it is unclear whether the application works in the background and when a phone is locked, which would further limit its effectiveness.
Link(s):
https://www.govinfosecurity.com/australia-releases-covidsafe-contact-tracing-app-a-14185

 

Country: Belgium
Subject: Tests conducted on connected wristbands at the port of Antwerp
Publication date: 04/23/2020
Description: The port of Antwerp has tested the anti-COVID-19 connected bracelet called “Romware Covid Radius”. The latter guarantees a certain social distance between employees and keeps track of physical contacts.
Link(s):
https://www.reuters.com/article/us-health-coronavirus-belgium-distancing/antwerp-port-trials-wristbands-for-coronavirus-social-distancing-idUSKCN22519X

 

Country: United-States
Subject: MIT researchers integrate sensors into a T-shirt to monitor the wearer’s temperature, respiration and heart rate
Publication date: 04/23/2020
Description: Easily integrated into any clothing and washable, it could be used to support efforts to tackle the COVID-19 pandemic. People suspected of being contaminated with COVID-19 would have their physiological data collected on a smartphone and transmitted to medical staff to avoid the risk of contamination of healthcare workers as much as possible. 
Link(s): http://news.mit.edu/2020/sensors-monitor-vital-signs-0423

 

Country: United Arab Emirates
Subject:  The Emirati police use connected helmets to take the population’s temperature
Publication date: 04/24/2020
Description: UAE law enforcement agencies now use connected helmets to monitor and analyze the population’s temperature remotely. The Chinese company KC Wearable designs these helmets. They can analyze 200 people in one minute and from up to five meters away.
Link(s):
https://www.reuters.com/article/us-health-coronavirus-emirates-smart-hel/emirati-police-deploy-smart-tech-in-coronavirus-fight-idUSKCN2260YJ

 

Back to the previous newsletters of CYBERSECURITY WATCH :
#1
#2 
#3
#4
#5
#6