COVID-19: CYBERSECURITY WATCH #13 – June 18, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on Anubis and SpyNote Trojans

Attack: Twelve fraudulent Android applications copy legitimate digital tracking applications to spread malware and steal banking credentials and personal data
Method: Fraudulent applications
Target: General public/Android users
Publication date: 06/10/2020
Link(s):
https://www.anomali.com/blog/anomali-threat-research-identifies-fake-covid-19-contact-tracing-apps-used-to-monitor-devices-steal-personal-data

Many governments are now using smartphones applications able to detect a user’s contact with other people and to report whether one of them is carrying the coronavirus (contact tracing).

Indeed, malicious actors took advantage of it and fake official applications have been created and distributed through websites, other applications or third party Android application stores. They used to deliver and execute malicious code to steal personal and banking data.

Researchers at Anomali Threat Research (ATR) have discovered a malicious replica of the Brazilian government’s official COVID-19 “Coronavirus – SUS” tracking application. The application is similar to the official one but it also includes a number of malicious features. When the application is first started, it requests authorization to activate the accessibility service. If the victim agrees, the “Anubis” banking Trojan is now active; the application runs in the background and its icon disappears from the application drawer. Then the malicious features are enabled. These allow to record phone calls, to access the contact list, the location service or to consult SMS messages and to custom injections to a broad selection of banking and social network applications in order to steal connection information.

The ATR has also found a clone of the Indonesian COVID-19 tracking application “PeduliLindungi”. In this case, the malicious program is straight embedded in the legitimate application. Once launched, it is installed on the system while the “SpyNote” Trojan is hidden from the application drawer. Thus, the victim’s smartphone activity is monitored, calls and SMS messages can be made/sent from the infected phone.

The ATR have identified a dozen similar applications and more remain to be discovered. Malicious actors take advantage of the popularity of the applications from government agencies and the trust of potential victims, but these same actors, abusing the COVID-19 pandemic, practice many other forms of attacks or frauds. It has been the subject of many attacks and scams.

The IOCs related to the malware analyzed have been published by ATR at the end of the blog post.

 

Threats

Attack: A phishing campaign relies on the increased use of VPNs during the health crisis to steal corporate credentials
Method: Phishing
Target: Public and private entities
Publication date: 06/03/2020
Description: Cybercriminals impersonated the IT support departments of targeted organizations to convince their employees to update their VPN configuration. Fraudulent e-mails link to fake Office 365 login pages, allowing attackers to steal their victims’ corporate credentials.
Link(s):
https://abnormalsecurity.com/blog/abnormal-attack-stories-vpn-impersonation-phishing/

 

Attack: The South African hospital group Life Healthcare hit by a cyberattack
Method: Currently unknown
Target: Hospital information systems
Publication date: 06/09/2020
Description: The group reported that patient care was not impacted but that hospital admission systems, business management systems and mail servers were affected by the attack. However, the extent to which sensitive data was compromised remains to be determined.
Link(s):
https://www.lifehealthcare.co.za/news-and-info-hub/latest-news/life-healthcare-announces-cyber-incident/

 

Frauds

Attack: A COVID-19 spear-phishing campaign targets multinational companies supplying medical protection equipment to Germany
Method: Spear-Phishing
Surface/Application: Fraudulent website
Publication date: 06/08/2020
Description: More than 100 executives have been targeted by fraudulent e-mails redirecting to fake Microsoft login pages designed to steal their login credentials. Once the data was acquired, it was exported to Russian Yandex e-mail accounts and made it possible for cybercriminals to collect confidential information and carry out new attacks.
Link(s):
https://securityintelligence.com/posts/german-task-force-for-covid-19-medical-equipment-targeted-in-ongoing-phishing-campaign/

 

Attack: A phishing campaign targets UK self-employed workers receiving public financial support in the context of the COVID-19 pandemic
Method: Phishing
Surface/Application: fraudulent text message
Publication date: 06/09/2020
Description: Cybercriminals impersonated Her Majesty’s Revenue and Customs (HMRC) and claimed that their targets were eligible for a tax refund. Victims were then redirected to a fraudulent website mimicking the official version and were asked to provide personal information and their bank account details.
Link(s):
https://www.griffin.law/fraudsters-target-self-employed-seeking-covid-19-income-support/

 

Attack: Cybercriminals send fraudulent COVID-19-themed resumes spreading malware and stealing data
Method: Phishing
Surface/Application: Mailbox
Publication date: 06/09/2020
Description: This phishing campaign relies on fake applications for health manager roles within the targeted organizations. The fraudulent resumes claim to originate from China and consist of an ISO file that releases a malicious EXE file, which allow the malware to run on the victim’s device.
Link(s):
https://blog.checkpoint.com/2020/06/04/coronavirus-update-not-the-type-of-cv-youre-looking-for/

 

Useful ressources

Type of resources: The European Commission introduces an action plan to tackle disinformation related to COVID-19
Target: General public/Social network
Publication date: 06/10/2020
Description: This action plan is focused on a collective awareness about the misinformation related to COVID-19. The priority measures identified such as public awareness, the cooperation between international institutions and the adherence of social networks to the “Code of Practice on Disinformation” will serve as a basis for future EU work on disinformation.
Link(s): https://ec.europa.eu/commission/presscorner/detail/en/ip_20_1006
https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1591873061977&uri=CELEX:52020JC0008

 

Type of resources: Google Maps adds new features alerting users about travel restrictions related to COVID-19
Target: General public
Publication date: 06/08/2020
Description: These alerts indicate if user travel is safe and compliant with COVID-19 restrictions such as wearing a mask, keeping safe distances and respecting cross-border travel. Alerts are also sent to users regarding the rules adopted by COVID-19 testing facilities. This new feature in Google Maps is filled with information shared by users.
Link(s):
https://blog.google/products/maps/get-around-safely-these-new-google-maps-features/

 

Type of resources: The FDPA sets up a FAQ regarding the French StopCovid app
Target: General Public
Publication date: 06/05/2020
Description: In order to raise public awareness of the functioning of the StopCovid app, the FDPA has drawn up a series of twelve questions to which it provides answers based on existing legislation. Most of them deal with the processing and storage of personal data and the users’ rights if they want to remove the application from their phone.
Link(s): https://www.cnil.fr/fr/lapplication-mobile-stopcovid-en-questions

 

Other News

Country: Germany
Subject: UAVs deliver COVID-19 test samples to laboratories
Publication date: 06/04/2020
Description: Organized by the company Quantum-Systems GmbH and the Becker & Kollegen laboratory, the first test flight demonstrated how fast UAVs can deliver test samples. Over a flight distance of 3,9 miles, the UAV transported 20 samples in 7 minutes, up to 8-12 times faster than traditional methods. Another interesting point in the current pandemic is that UAVs delivery system is contactless.
Link(s):
https://dronelife.com/2020/06/04/drone-delivery-for-coronavirus-in-germany/

 

Country: United States
Subject: The University of Kansas will test the “CvKey” application to control student access to the campus
Publication date: 06/04/2020
Description: This application allows users to carry out an auto-diagnostic of their health status.  It generates a QR code indicating whether students are in good health and can be allowed to access to the campus buildings. Similar initiatives are also ongoing at the Universities of Arizona, Alabama and Wisconsin.
Link(s):
https://news.ku.edu/2020/06/04/university-kansas-partner-nonprofit-cvkey-project-pilot-new-app-developed-assist

 

Country: France
Subject: The FDPA starts its audits of the StopCovid app, SI-DEP and Contact Covid databases.
Publication date: 06/04/2020
Description: This series of audits have been decided at the FDPA’s public hearing before the National Assembly on May 5, 2020. Those controls will concern the processing of personal data collected by the application. In the event of proven risks to users’ rights, corrective measures and sanctions may be implemented.
Link(s):
https://www.cnil.fr/fr/si-dep-contact-covid-et-stopcovid-la-cnil-lance-sa-campagne-de-controles

 

Back to the previous newsletters of CYBERSECURITY WATCH :