COVID-19: CYBERSECURITY WATCH #9 – May 14, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on phishing campaigns using Agent Tesla

Attack: Several phishing campaigns related to COVID-19 deliver a new variant of the Agent Tesla Trojan
Method: Data theft
Target: Microsoft Windows users
Publication date: 05/11/2020
Link(s):
https://www.checkpoint.com/press/2020/april-2020s-most-wanted-malware-agent-tesla-remote-access-trojan-spreading-widely-in-covid-19-related-spam-campaigns/
https://krebsonsecurity.com/2018/10/who-is-agent-tesla/
https://www.fortinet.com/blog/threat-research/new-agent-tesla-variant-spreading-by-phishing.html

Agent Tesla is a RAT (Remote Access Trojan) malicious program. Initially, it was a commercial software developed in .NET and running on Windows. Because of its capabilities, Agent Tesla has been widely used to perform malicious actions and has the following features:

  • Keystroke logger (keylogger)
  • Microphone and webcam stream recorder
  • Recovery of passwords stored in the browser

Numerous campaigns using Agent Tesla have been observed since 2014. Cybercriminals sometimes use variants of the original software.

Since the COVID-19 health crisis, many variants of Agent Tesla have reappeared. Criminals are taking advantage of the current environment to conduct targeted phishing campaigns. According to CheckPoint, Agent Tesla was the third most prevalent malware in April, affecting 3% of the world’s organizations. Due to the extent of Agent Tesla’s presence around the world, it is important to be aware that this malware appears in many different forms. Recent analyses indeed highlight the use of Agent Tesla in phishing campaigns targeting the healthcare sector.

The e-mail received contains a malicious file. If the user is trapped, the procedure is always the same: the program runs and scans the compromised computer looking for secrets and passwords. It will search the file system, the known directories of the software used and the Windows registry. The main targets are passwords located in browsers, e-mail clients, VPN clients or Wi-Fi registered passwords.  One of the malware analyzed by Fortinet shows that it tries to browse through more than 60 different software on the compromised target. Once these items are collected, the malware exfiltrates them to a remote server using the SMTP protocol.

The only effective protection against these attacks is to raise awareness: informing users not to open attachments from an unknown source and being particularly wary of e-mails dealing with the subject of COVID-19. At the same time, it is also recommended to keep your security solutions up to date, especially antivirus software. Indeed, antivirus vendors update their database regularly, each time a new piece of malware is detected.

 

Threats

Attack: Private hospital operator and dialysis service provider Fresenius targeted by Snake ransomware
Method: Crypto-ransomware
Target: Fresenius information systems
Publication date: 05/08/2020
Description: According to the medical company, the attack limited some of its activities in Europe and the United States, with no impact on its capacity to receive and care for patients. The Snake ransomware mainly targets Windows-based systems and encrypts corporate data in order to ask for ransom in cryptocurrency. The attack is all the more worrisome as some patients with COVID-19 develop kidney failure and need dialysis.
Link(s):
https://www.hackread.com/hackers-hit-europe-healthcare-provider-snake-ransomware/

 

Attack: Cybercriminals mimic Zoom notifications to steal usernames and passwords from Office 365 accounts
Method: Phishing campaign
Target: Zoom users
Publication date: 05/11/2020
Description: This phishing campaign replicates Zoom notifications to steal information related to Office 365 accounts. Attackers use numerous lures such as the names of targeted companies and the Office 365 logo. They also created an e-mail and landing page mimicking Zoom meeting notifications. The mock e-mail links to a fake Microsoft login page with the user’s organization name and Zoom above the login location.
Link(s):
https://abnormalsecurity.com/blog/abnormal-attack-stores-zoom-phishing-campaign/

 

Frauds

Attack: Cybercriminals steal U.S. taxpayers’ personal data to steal stimulus checks distributed during the COVID-19 pandemic
Method: Phishing/Spear-phishing
Surface/Application: Fraudulent websites/U.S. taxpayer mailbox
Publication date: 05/06/2020
Description: Cybercriminals acquired personal data through spear-phishing campaigns or fraudulent websites imitating the Internal Revenue Service (IRS), which distributes financial support checks. Subsequently, they claimed this financial support by impersonating the victims. In response to these frauds, the IRS established a platform to report such fraudulent e-mails and websites.
Link(s):
https://www.secureworks.com/blog/cybercriminals-target-us-citizens-for-covid-19-stimulus-fraud

 

Attack: COVID-19 related phishing campaign mimics financial institutions on Instagram
Method: Phishing campaign
Surface/Application: Instagram
Publication date: 05/01/2020
Description: The attackers selected user accounts such as credit union members and pretended they had won a gift. Next, they asked them to provide their account information by text message, including their password, in order to claim the prize money. With this data recovered, the Instagram accounts could be hacked.
Link(s):
https://securityboulevard.com/2020/05/covid-19-phishing-update-scammers-impersonating-financial-institutions-on-instagram/

 

Attack: Cybercriminals send fraudulent text messages mimicking the U.K.’s digital tracking application to collect personal data
Method: Phishing
Surface/Application: Text message
Publication date: 05/12/2020
Description: Although the application developed by the NHS has still not been fully deployed in the country, British citizens received a text message claiming they had been in contact with people contaminated by COVID-19. Victims are redirected to a fraudulent website asking them to provide their personal information. Using this data, cybercriminals may commit fraud by impersonating them.
Link(s):
https://www.tradingstandards.uk/news-policy/news-room/2020/new-covid-19-app-exploited-by-fraudsters-to-scam-public

 

Useful ressources

Type of resources: The French National Commission on Informatics and Liberty (CNIL) publishes its recommendations for the implementation of telework
Target: Teleworkers
Publication date: 05/12/2020
Description: In the context of COVID-19, the CNIL has published recommendations and security measures for teleworking employees, who are increasingly victims of cyber attacks. The CNIL has particularly insisted on the security of personal data, targeted by cybercriminals, and on the security of information systems.
Link(s):
https://www.cnil.fr/fr/les-conseils-de-la-cnil-pour-mettre-en-place-du-teletravail
https://www.cnil.fr/fr/salaries-en-teletravail-quelles-sont-les-bonnes-pratiques-suivre

 

Type of resources: WHO is developing its own contact tracing application to assist countries struggling with the health crisis
Target: Developing countries
Publication date: 05/09/2020
Description: The application, which should be based on Bluetooth technology, is mainly aimed at countries that do not have the resources to develop their own digital tracking system. It will initially include a medical form to describe symptoms in order to obtain medical advice. The application should be deployed in May.
Link(s):
https://www.reuters.com/article/health-coronavirus-who-apps/who-readies-coronavirus-app-for-checking-symptoms-possibly-contact-tracing-idUSKBN22L06L

 

Type of resources: Twitter strengthens its security against COVID-19 misinformation
Target: Twitter users
Publication date: 05/13/2020
Description: Twitter is now changing its policy against information related to COVID-19 from unreliable sources. Following YouTube or Facebook’s example, the social network is planning to feature banners with warning messages, which will be rated in accordance with the level of dangerousness. Harmful message (the most important component) will be removed directly by Twitter.
Link(s):
https://www.presse-citron.net/twitter-renforce-sa-securite-contre-les-fake-news-liees-au-covid-19/

 

Other News

Country: France
Subject: Hearing of Mr. Guillaume Poupard, Director of the National Cybersecurity Agency of France (ANSSI), before the National Assembly
Publication date: 05/12/2020
Description: ANSSI’s Director General gave a presentation on the security issues surrounding the development, deployment and data collection of the French digital tracking application StopCovid.
Link(s):
https://videos.senat.fr/video.1608918_5ebaa04d6b8cd.audition-de-m-guillaume-poupard-directeur-general-de-l-agence-nationale-de-la-securite-des-systeme

 

Country: France
Subject: Two medical databases to track contacts of individuals contaminated with
COVID-19
Publication date: 05/04/2020
Description: The government plans to establish two specific medical databases: Sidep and Contact Covid. The first will contain the results of all the screening tests carried out from May 11 onwards. The second will include the list of people who have been in contact with the proven cases.
Link(s):
https://www.lesnumeriques.com/vie-du-net/sidep-et-contact-covid-le-dossier-medical-numerique-a-l-heure-du-coronavirus-n149995.html

 

Country: France
Subject: Experimental cameras deployed at Paris Châtelet-Les Halles train station to detect the use of masks on public transport
Publication date: 05/07/2020
Description: The very popular Châtelet-Les Halles train station in Paris will experiment cameras to check whether users are wearing masks. The company Datakalab, specialized in image analysis, is in charge of the project, which includes a dedicated laboratory and a dashboard to measure in real time the percentage of passengers wearing masks. Set up for 3 months to evaluate the findings, Datakalab claimed the footage would be deleted afterwards.
Link(s):
https://www.theverge.com/2020/5/7/21250357/france-masks-public-transport-mandatory-ai-surveillance-camera-software

 

Country: Italy
Subject: Thermal scanning smart helmets deployed at Rome airport to identify potential cases of COVID-19
Publication date: 05/07/2020
Description: Law enforcement officers stationed at the airport are now equipped with these helmets, which can identify people who may be infected with COVID-19 to prevent them from boarding a plane. Through a thermal scanning camera and augmented reality, these helmets can analyze the temperature of a group of people from a distance up to 16 feet.
Link(s):
https://venturebeat.com/2020/05/07/italian-airport-leads-europe-in-adopting-ar-thermal-scanning-helmets/

 

Country: Singapore
Subject: Boston Dynamics SPOT robot deployed in parks to incite people to respect social distancing measures
Publication date: 05/08/2020
Description: Equipped with cameras and a microphone, the robot can monitor gatherings and warn people not following instructions. Its built-in algorithms can detect an object or a person within 3 feet to avoid collisions. During initial trials, a park security officer accompanies the robot.
Link(s):
https://techcrunch.com/2020/05/08/boston-dynamics-spot-is-patrolling-a-singapore-park-to-encourage-social-distancing/

 

Back to the previous newsletters of CYBERSECURITY WATCH :
#1
#2 
#3
#4
#5
#6
#7
#8