COVID-19: CYBERSECURITY WATCH #8 – May 7, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

 

Focus on a fraudulent Zoom version

Attack: An illegitimate Zoom installer spreads a malware
Method: Malware
Target: New Zoom users
Publication date: 04/29/2020
Link(s):
https://blog.trendmicro.com/trendlabs-security-intelligence/webmonitor-rat-bundled-with-zoom-installer/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Backdoor.Win32.REVCODE.THDBABO

The coronavirus pandemic has highlighted the benefits of telecommunication applications when working from home. However, as they always do, cybercriminals exploit both popular trends and user behavior.

The attack targets unsuspecting users through the malicious ZoomIntsaller.exe file available on unofficial and illegitimate sources. This file contains a combination of a Zoom application installer (non-malicious) and the malware RevCode WebMonitor.

Running the ZoomIntsaller.exe file will install the legitimate Zoom application (to avoid suspicion from the user) as well as the malware RevCode WebMonitor that will allow the attacker to take control of the compromised devices and spy on them via keylogging, webcam streaming or screenshots.

 

Threats

Attack: Phishing campaign mimics U.S. Department of Labor (DoL) to spread a malware
Method: Fraudulent e-mails
Target: American employees in the public and private sectors
Publication date: 04/30/2020
Description: In order to spread the malware, this new campaign mimics e-mails from the Family and Medical Leave Act (FMLA), granting employees the right to medical leave under COVID-19. Its delivery method is similar to the Trickbot banking malware, which integrates infected devices into a botnet.
Link(s):
https://securityintelligence.com/posts/trickbot-campaigns-targeting-users-via-department-of-labor-fmla-spam/

 

Attack: The UK National Cyber Security Center (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warn about APT group activity against organizations involved in the research on COVID-19
Method: Brute force attacks by password spraying
Target: National and international organizations working to counter the COVID-19 pandemic
Publication date: 05/05/2020
Description: The targets include health organizations, pharmaceutical companies, universities, medical research organizations and local communities, especially in the United States and the United Kingdom. Typically, APT groups seek to obtain personal information, intellectual property and intelligence of national interest for commercial purposes or for the benefit of a state. During the health crisis, they also focus on the national and international management of the health crisis to gather sensitive data related to medical research on COVID-19.
Link(s):
https://www.ncsc.gov.uk/news/apt-groups-target-healthcare-essential-services-advisory

 

Attack: Microsoft Teams targeted by a phishing campaign using cloned images of notifications to collect Office 365 credentials
Method: Phishing campaign/Theft of information
Target: Microsoft Teams/Microsoft Office 365 User Mailbox
Publication date: 05/01/2020
Description: Since the beginning of the health crisis, Microsoft Teams has been more solicited by teleworking users. This phishing campaign usurps Teams file sharing and audio conversation notifications. Cybercriminals have sent false alerts to Microsoft Teams users, claiming that someone wanted to make contact or that they had an offline audio message left.  In addition, they used several URL redirections in an attempt to hide the URL used to host this phishing campaign.
Link(s):
https://www.bleepingcomputer.com/news/security/convincing-office-365-phishing-uses-fake-microsoft-teams-alerts/

 

Attack: Cybercriminals usurp Zoom’s authentication pages to steal corporate e-mail credentials
Method: Phishing campaign/Theft of information
Target: Zoom users
Publication date: 04/27/2020
Description: By sending fake invitations to Zoom meetings from the human resources department, cybercriminals managed to steal company identifiers. Users clicked on the links (copy of the Zoom login page) and entered their email address and password. Then, cybercriminals were able to take control of their email and launch attacks from internal accounts.
Link(s):
https://cyberguerre.numerama.com/4699-zoom-des-hackers-creent-de-fausses-reunions-pour-voler-vos-identifiants-professionnels.html

 

Frauds

Attack: With the increase in online shopping due to the confinement, phishing campaigns are targeting carriers such as FedEx, UPS and DHL
Method: Phishing campaign/Identity theft
Surface/Application: Mailbox
Publication date: 04/27/2020
Description: Cybercriminals impersonated carriers indicating that due to COVID-19, deliveries would be delayed. Then, they invited the victims to modify the shipping document (attachments) or to reschedule the collection to install a Bsymem Trojan or RAT-type malware.
Link(s):
https://www.kaspersky.com/blog/covid-fake-delivery-service-spam-phishing/35125/

 

Attack: The Australian Institute of Criminology (AIC) investigated 20 darknet markets selling COVID-19 related medical equipment
Method: Illegal sale of medical equipment, fake vaccines and screening tests
Surface/Application: Darknet
Publication date: 04/30/2020
Description: Personal protective equipment (PPE) accounts for almost half of all products sold and one third of those encompass antivirals or drugs. Fake vaccines, tests and diagnostic instruments each account for nearly 10% of products. The total estimated value of these items exceeds 235,000 dollars. 
Link(s):
https://www.infosecurity-magazine.com/news/dark-web-fake-vaccines-blood/
https://www.aic.gov.au/publications/sb/sb24

 

Attack: Security breach on the “symptom checker” of COVID-19 from Jio, India’s leading telecom operator
Method: Theft of sensitive data
Surface/Application: Website and Jio application
Publication date: 05/03/2020
Description: Launched at the end of March, this symptom checker lets you know via your phone or Jio’s website if you have been infected by the COVID-19. A researcher has pointed out a security flaw revealing a leak in one of the main databases on the Internet, which contains medical data of people or addresses. Although the system has been quickly taken offline, there is no proof that cybercriminals exploited the breach.
Link(s):
https://techcrunch.com/2020/05/02/jio-coronavirus-security-lapse/

 

Useful resources

Type of resources: New YouTube fact-checking functionality
Target: YouTube users in the U.S.
Publication date: 04/30/2020
Description: To counter misinformation related to COVID-19 in the United States, YouTube is launching an insert functionality. These feature so-called “verified” articles and other relevant press reports from media outlets affiliated with the International Fact-Checking Network (IFCN) and conforming to ClaimReview standards. However, any videos will be removed.
Link(s):
https://siecledigital.fr/2020/04/30/youtube-fact-checking-panneaux-etats-unis/

 

Type of resources: To address the significant increase in telecommuting during the health crisis, the U.S. National Security Agency (NSA) and CISA publish their Cyber hygiene best practices
Target: Businesses and public administrations
Publication date: Updated on 05/01/2020
Description: The CISA provides a new web portal gathering its recommendations regarding the use of digital tools for telework. The NSA report includes an evaluation of the most commonly used videoconferencing tools.
Link(s):
https://media.defense.gov/2020/Apr/24/2002288652/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-LONG-FINAL.PDF
https://www.cisa.gov/news/2020/05/01/cisa-launches-telework-product-line-providing-best-practices-and-cybersecurity-tips

 

Type of resources: COVID-19 Malicious Domain Research Hub, an open data toolkit related to online malicious activity
Target: General public/Technophiles
Publication date: 05/04/2020
Description: This toolkit collects data related to malicious activities linked to COVID-19 and makes it available free of charge. It includes new registered coronavirus-related domain names, fraud-checking tools, threat tables and their evolution, in real time. A GitHub link, which is constantly updated, is also available to retrieve this information.
Link(s):
https://proprivacy.com/tools/scam-website-checker
https://github.com/ProPrivacy/covid-19

 

Other News

Country: Singapore
Subject: Due to the ineffectiveness of the TraceTogether digital tracking application, Singapore is strengthening its system with a mandatory QR code system
Publication date: 05/03/2020
Description: Few people were using TraceTogether based on Bluetooth technology, unable to run in the background without adopting the solution from Google and Apple. As a result, the SafeEntry solution was deployed, requiring visitors to public institutions, businesses and shopping malls to scan a QR code when entering and leaving. It collects their name, ID number, phone number and the duration of their visit. Singapore also announced working with Google and Apple to enhance the TraceTogether application.
Link(s):
https://www.gov.sg/article/digital-contact-tracing-tools-for-all-businesses-operating-during-circuit-breaker

 

Country: China
Subject: Smart glasses to detect COVID-19
Publication date: 05/01/2020
Description: Chinese startup Rokid developed a pair of smart glasses that can measure body temperature and determine whether people have been infected with the coronavirus. These glasses are equipped with an infrared sensor, a camera and a Qualcomm processor. The screen displays the temperature in real time. More than 1,000 units have already been sold to governmental authorities, schools and businesses.
Link(s):
https://www.nytimes.com/reuters/2020/05/01/technology/01reuters-health-coronavirus-china-detection-glasses.html

 

Country: Japan
Subject: Pepper robot welcomes COVID-19 patients
Publication date: 05/01/2020
Description: As Japan turns to hotels to accommodate COVID-19 patients in Tokyo, some staff have been replaced by Pepper robots (designed by Softbank Robotics) to care for patients and clean up high-risk areas. These robots also provide instructions on good hygiene practices such as wearing masks.
Link(s):
https://www.reuters.com/article/us-health-coronavirus-japan-robot-hotels/robots-on-hand-to-greet-japanese-coronavirus-patients-in-hotels-idUSKBN22D4PC

 

Country: United Kingdom
Subject: The British government contact tracking application fails security tests
Publication date: 05/04/2020
Description: The contact tracking application ultimately failed government cybersecurity tests. As a result, it cannot be included in the National Health Service (NHS) application library, as confidentiality is not guaranteed. In light of this failure, trials on the Isle of Wight will be conducted this week for further evaluation. Islanders have thus been urged to download the application to carry out trials in live conditions.
Link(s):
https://www.hsj.co.uk/technology-and-innovation/exclusive-wobbly-tracing-app-failed-clinical-safety-and-cyber-security-tests/7027564.article https://www.digitalhealth.net/2020/05/covid-19-nhs-contact-tracing-app-launched-in-isle-of-wight/

 

Country: France
Subject: The French Minister for digital affairs, Cedric O, announced the deployment of the StopCovid application is now scheduled for June 2
Publication date: 05/05/2020
Description: As discussions between Google, Apple and the French government have been inconclusive regarding the removal of restrictions on Bluetooth that prevent it from working in the background, Cedric O announced that initial tests of the French digital tracking application will be carried out as early as May 11. The project should have been presented to Parliament last week, but the inability to come up with a fully-fledged prototype pushed back the deadline to May 25 with a potential deployment of the application by June 2.
Link(s):
https://www.euronews.com/2020/04/29/coronavirus-french-mps-approve-covid-19-tracing-app-despite-privacy-concerns

 

Back to the previous newsletters of CYBERSECURITY WATCH :
#1
#2 
#3
#4
#5
#6
#7