COVID-19: CYBERSECURITY WATCH #10 – May 20, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the QNodeService Trojan

Attack: COVID-19 phishing campaign distributes the QNodeService Trojan
Method: Data theft
Target: Microsoft Windows users
Publication date: 05/14/2020
Link(s):
https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/

QNodeService is a Trojan horse that spreads via COVID-19 themed phishing and infects Windows operating systems. This malware is installed via a download program written in Java, generally called “Company PLP_Tax relief due to Covid-19 outbreak CI + PL.jar”. The download program has a very low detection rate: 1/60 on VirusTotal. (https://twitter.com/malwrhunterteam/status/1255840193745215489)

Once executed, the program downloads the malware “QNodeService” so named by TrendMicro with reference to the name “qnode-service” used in the source code. The QNodeService download program has been obfuscated with Allatori (http://www.allatori.com). Obfuscation makes the initial code more difficult to read (encoding, cutting …) and adds unnecessary code in order to make the analysis more complex. Deobfuscation is still possible.

This program downloads Node.js and the following obfuscated files:

  • wizard.js
  • qnodejs-win32-ia32.js
  • nodejs-win32-x64.js

The code analysis makes it possible to identify certain parameters such as the domain name of the C2 server (Command & Control), the use of user identifiers or the presence of the word “subscription” in one of the subdomains (qhub-subscription[.]store[.]qua[.]one). This suggests that the malware is sold and used as Malware-as-a-Service. The QNodeService malware is coded in JavaScript and is based on Node.js. This unusual choice can be explained by a desire to further evade antivirus detection.

QNodeService allows, among other things, to:

  • Download and execute files from the attacker’s server
  • Upload files to the attacker’s server
  • Steal credentials from Chrome and Firefox browsers
  • Access the file system

This malware is written to target Windows operating systems. However, the design of the code and the presence of certain parts suggest the malware developers are considering future cross-platform compatibility (MacOS, Linux).

To ensure its persistence, the malware creates a “Run” registry key on the victim’s Windows system. This enables the execution of a malicious code that reinstalls the malware each time the user logs in to his Windows session (https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys). The Indicators of compromise are provided at the end of the article on Trend Micro.

 

Threats

Attack: Two British companies involved in the construction of emergency hospitals to address the COVID-19 pandemic have been targeted by cyberattacks
Method: Ransomware attack/data theft
Target: Information systems/data base
Publication date: 05/13/2020
Description: According to their respective spokespersons, Bam Construct has been hit by a ransomware attack, which has been contained by switching a number of its servers offline. Interserve said it suffered a major data breach, potentially compromising a human resources database of nearly 100,000 employees.
Link(s):
https://www.infosecurity-magazine.com/news/covid19-hospital-construction/

 

Attack: Cyberattacks target European supercomputers used in COVID-19 research
Method: Cryptocurrency mining malware
Target: European academic institutions’ supercomputers
Publication date: 05/11/2020
Description: To limit the spread of these attacks, supercomputers have been isolated from the networks. While none of the organizations published any details about the intrusions, the CSIRT for the European Grid Infrastructure (EGI) has released malware samples from some of these incidents. Analyzed by the security company Cado Security, the findings revealed that attackers have reached supercomputer clusters via compromised SSH credentials.
Link(s):
https://www.zdnet.com/article/supercomputers-hacked-across-europe-to-mine-cryptocurrency/ 

 

Attack: Microsoft alerts about a new COVID-19 themed phishing campaign, spreading the LokiBot Trojan
Method: Phishing
Target: Public and private entities
Publication date: 05/13/2020
Description: Among others, this campaign targets employees of the Center for disease control and prevention (CDC). The Trojan steals browser and app saved passwords and exfiltrates them to a remote server from where attackers can retrieve them later. Microsoft announced it was able to detect the attack with the help of Microsoft Threat Protection’s machine learning algorithms.
Link(s):
https://twitter.com/MsftSecIntel/status/1260610853755170817
https://www.bleepingcomputer.com/news/security/microsoft-warns-of-covid-19-phishing-spreading-info-stealing-malware/

 

Frauds

Attack: Cybercriminals pretend to give financial from the French government
Method: Phishing/data theft
Surface/Application: Fake government website
Publication date: 05/11/2020
Description: Exploiting COVID-19 lures, cybercriminals have created a fake French government website, copying the graphic charter of the administration’s messages, which claims to give access to a financial aid measure. The website asks victims to provide their personal and bank details so that they can obtain the assistance.
Link(s):
https://cyberguerre.numerama.com/5065-phishing-des-cybercriminels-ont-fait-miroiter-une-fausse-aide-financiere-du-gouvernement-francais.html

 

Attack: Cybercriminals mimic Indian government aid
Method: Phishing/data theft
Surface/Application: Fake government website
Publication date: 05/15/2020
Description: Since the Indian Prime Minister Narendra Modi has announced economic relief packages on national television due to the COVID-19 pandemic, cybercriminals took advantage to launch a massive phishing campaign. Victims were driven to a fake website copying the original and had to enter their bank account details.
Link(s):
https://www.freepressjournal.in/mumbai/amid-lockdown-cyber-frauds-target-victims-with-rs-15k-offer-from-pms-relief-package

 

Attack: Fraudulent sale of stolen password information targets Twitter users
Method: Fraudulent sale of information
Surface/Application: Twitter
Publication date: 05/14/2020
Description: On Twitter, cybercriminals claim to help individuals discover whether their passwords have been published online without their permission. COVID-19 lures are used to add legitimacy as well as online visibility to the post. As a result, they have been able to embezzle thousands of euros.
Link(s):
https://info.phishlabs.com/blog/covid-19-phishing-update-threat-actors-on-twitter-want-you-to-pay-for-your-stolen-passwords

 

Attack: Phishing campaign targets DocuSign to steal teleworkers authentication information
Method: Phishing
Surface/Application: Microsoft Office 365
Publication date: 05/08/2020
Description: Attackers send false DocuSign-stamped notifications to confuse their victims. The notification invites users to read a document related to COVID-19, without specifying its nature. The payload in the document leads to three redirections to bypass the simple detection of malicious URLs in e-mails. One of the websites hosts a fake DocuSign login page to steal user credentials.
Link(s):
https://abnormalsecurity.com/blog/abnormal-attack-stories-docusign-phishing/

 

Useful ressources

Type of resources: Microsoft is making some of its COVID-19 cyber threat data in open source
Target: Cybersecurity professionals
Publication date: 05/14/2020
Description: These indicators of compromise are now available in part on Azure Sentinel’s Github repository and via the Microsoft Graph Security API. However, Microsoft points out that access to this data is only temporary and will be removed once the peak of the outbreak is passed.
Link(s):
https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/

 

Type of resources: Interpol launches awareness campaign on COVID-19 cyberthreats
Target: Public and private entities
Publication date: 05/06/2020
Description: #WashYourCyberHands is a month-long campaign, which aims to promote good cyber hygiene tips. It began with the release of an overview of cyberthreats related to COVID-19. It presents the main threats, future trends and prevention measures to adopt.
Link(s):
https://www.interpol.int/fr/Actualites-et-evenements/Actualites/2020/INTERPOL-launches-awareness-campaign-on-COVID-19-cyberthreats
https://www.interpol.int/Crimes/Cybercrime/COVID-19-cyberthreats

 

Other News

Country: International
Subject: Nvidia launches its Artificial Intelligence “Clara Guardian”
Publication date: 05/14/2020
Description: The platform helps health researchers, technology solution providers and hospitals to stem the spread of infectious diseases, including COVID-19. This new system is currently being tested in about 50 hospitals in France, Italy and China.  
Link(s):
https://nvidianews.nvidia.com/news/nvidia-expands-nvidia-clara-adds-global-healthcare-partners-to-take-on-covid-19

 

Country: Europe
Subject: ETSI develops a standardization framework for the interoperability of European digital tracing applications
Publication date: 05/12/2020
Description: The European standards body ETSI will develop a standardization framework in order to enable the development of interoperable systems to automatically track and inform users potentially infected with COVID-19. One of the main challenges relates to the collection, processing and use of information on EU citizens without compromising their anonymity and privacy, while protecting them from exposure to potential cyberattacks.
Link(s):
https://www.etsi.org/newsroom/press-releases/1768-2020-05-new-etsi-group-to-develop-standardization-framework-for-secure-smartphone-based-proximity-tracing-systems-helping-to-break-covid-19-transmission-chains

 

Country: France
Subject: The French Data Protection Authority (CNIL) validates the follow-up of COVID-19 patients via the future Sidep and Contact Covid medical databases
Publication date: 05/12/2020
Description: Olivier Véran, the Minister of Solidarity and Health, seized the CNIL regarding the future draft law on the identification of persons affected and likely to be contaminated by the COVID-19. The CNIL considers that the data collection stipulated in the draft decree is relevant to the goals. The Authority recalls that the principle of data minimization means that only strictly necessary data should be collected.
Link(s):
https://www.cnil.fr/sites/default/files/atoms/files/2020-051-urgence-sanitaire.pdf

 

Country: France
Subject: Roissy-Charles de Gaulle airport is experimenting with thermal cameras to detect potential cases of COVID-19
Publication date: 05/15/2020
Description: To detect COVID-19 infected passengers, Roissy-Charles de Gaulle airport management has announced the installation of 12 thermal cameras located at the arrivals of international flights. These cameras can detect passengers with fever. These passengers will be encouraged to undergo a medical examination during which a doctor will suggest that they perform a medical examination.
Link(s):
https://www.usine-digitale.fr/article/covid-19-l-aeroport-de-roissy-s-equipe-de-cameras-thermiques-pour-detecter-les-passagers-fievreux.N964851

 

Country: United Kingdom
Subject: Documents related to the National Heath Service’s (NHS) future COVID-19 contact tracing app were inadvertently left publicly accessible on Google Drive
Publication date: 05/13/2020
Description: Theses documents are related to the application’s development and functionalities. However, the vast majority of the referenced documents are not public and cannot be accessed without approval.
Link(s):
https://www.wired.co.uk/article/nhs-covid-19-app-health-status-future

 

Back to the previous newsletters of CYBERSECURITY WATCH :
#1
#2 
#3
#4
#5
#6
#7
#8
#9