COVID-19: CYBERSECURITY WATCH #14 – July 3, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the IcedID Banking Malware

Attack: A phishing campaign using COVID-19 lures spreads the IcedID banking malware
Method: Phishing
Target: Banking and financial services
Publication date: 06/18/2020
Link(s):
https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware

Cybercriminals have distributed fraudulent e-mails containing an attachment loaded with a malware that allows them to steal financial information. Researchers at Juniper Threat Labs found it to be a new version of the IcedID banking malware.

This new variant changes obfuscation tactics by deploying itself in a legitimate way and uses steganography to download its components, thus evading detection.

It starts with a phishing e-mail, linked to COVID-19, with a malicious Word file attachment.

Once the malicious code is executed, it deploys a loader using obfuscation tactics for antivirus evasion purposes. This loader aims to download its module and configuration using detection evasion techniques, such as steganography, by contacting a malicious domain like « siffersniffer[.]best ». It blends its network activity to normal traffic by reaching legitimate domain names like «support.microsoft.com » or « support.apple.com » in order to make its actions less suspicious.

The malware looks for persistence as it creates a scheduled task to be executed at a regular time.

Once the “IcedID“ Trojan has it full capabilities, it uses a Windows installation manager to get installed in a legitimate way, therefore appear as a normal application.

Next, it generates a SSL certificate to handle HTTPS communications, creates a proxy and hooks running web browsers.

This way, it will monitor browser activity related to financial transactions like sites « Amazon.com », « eBay », « T-Mobile » or « American Express » in order to steal bank data in real time.

Malicious actors take advantage of the potential communication campaigns from government agencies and the trust of potential victims, but these same actors, abusing the COVID-19 pandemic, practice many other forms of attacks or frauds. It has been the subject of many attacks and frauds.

Juniper Threat Labs have listed the IOCs related to the malware in their article.

 

Threats

Attack: Cybercriminals mimic Canada’s upcoming digital tracing application to deliver the CryCryptor ransomware
Method: Fraudulent Android application
Target: General public/Android users
Publication date: 06/24/2020
Description: This fraudulent application is available on websites replicating that of Health Canada. Once launched, CryCryptor encrypts the targeted device’s data and displays a “readme” file displaying the cybercriminals’ e-mail address. ESET researchers created an application to decrypt the compromised files and the Canadian Centre for Cyber Security shut down the fraudulent websites.
Link(s):
https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/

 

Attack: The Philadelphia Crozer-Keystone Health System hospital group victim of Netwalker ransomware
Method: Data theft
Target: Crozer-Keystone Healthy IT System
Publication date: 06/19/2020
Description: The healthcare system was asked to pay a ransom in Bitcoin in exchange for its stolen data, which mostly concerned finances. Cybercriminals used screenshots as evidence and threatened to leak the information if the group did not buy it within six days. According to Crozer-Keystone, their IT team quickly identified the attack and remediated the impacted system.
Link(s):
https://www.databreaches.net/pennsylvania-health-system-hit-by-netwalker-ransomware/ 
https://cointelegraph.com/news/ransomware-gang-auctions-off-us-healthcare-data-for-bitcoin

 

Attack: Several phishing campaigns using COVID-19 lures target industries to deliver ransomware
Method: Phishing
Target: Industries in the United States, France, Germany, Greece and Italy
Publication date: 06/25/2020
Description: Proofpoint researchers have observed an increase in phishing campaigns using ransomware as the first stage payload. Some of them rely on COVID-19 lures, such as Mr. Robot and Philadelphia. The former is distributed by e-mails imitating U.S. companies’ health departments encouraging targets to click on a link to get their COVID-19 test results. The second targets German companies with e-mails imitating the federal government and claiming that their facility must close due to the health crisis.  If the victim follows these fraudulent links, the aforementioned ransomware are directly installed.
Link(s):
https://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more

 

Frauds

Attack: Possible COVID-19 phishing campaign by North Korean cybercriminals targets several countries
Method: Phishing/Identity theft
Surface/Application: Mailbox
Publication date: 06/18/2020
Description: CYFIRMA cybersecurity researchers have warned about an eventual COVID-19 themed phishing campaign operated by the North Korean hacker group “Lazarus”. More than five million individuals and companies would be targeted in several countries such as Singapore, Japan, the United Kingdom and the United States. These fraudulent e-mails are impersonating governments or various authorities that are financially supporting companies during the COVID-19 pandemic in order to steal personal and financial information.
Link(s):
https://www.cyfirma.com/early-warning/global-covid-19-related-phishing-campaign-by-north-korean-operatives-lazarus-group-exposed-by-cyfirma-researchers/
https://www.csa.gov.sg/singcert/advisories/ad-2020-005   

 

Attack: Cybercriminal group Kerala Cyber Warriors obtained data on 80,000 COVID-19 patients in New Delhi
Method: Data leak
Surface/Application: Delhi State Health Mission website
Publication date: 06/27/2020
Description: On their Facebook page, the cybercriminals claimed that they were able to gather information including patients’ clinical status, address and age. The group stated it attempted to inform the local government about the server’s extensive vulnerabilities but had not received a response. It also posted a YouTube video to protest India’s handling of the health crisis.
Link(s) :
https://www.eastcoastdaily.in/2020/06/27/kerala-cyber-warriors-hacked-health-mission-website.html
https://www.facebook.com/KeralaCyberWarriors/posts/1581437572026269

 

Attack: Employees targeted by a phishing campaign claiming to provide COVID-19 hygiene training
Method: Phishing
Surface/Application: Teleworkers
Publication date: 06/25/2020
Description: A phishing campaign relied on employee’s gradual return to the office to steal confidential information. Cybercriminals sent fake COVID-19 training resources including new workspace measures. Employees have been prompted to click on those fraudulent links to register for training sessions.
Link(s):
https://www.cybertalk.org/2020/06/25/a-surprising-coronavirus-phishing-scheme-that-employees-actually-fall-for/

 

Attack: Personal and medical data of COVID-19 patients in Indonesia are sold on the darknet
Method: Data Leak
Surface/Application: Indonesian government database
Publication date: 06/21/2020
Description: Sold for 300 dollars, the data includes the name, address, phone number and COVID-19 test results of patients treated in several hospitals in Bali. According to the local newspaper Kompas, the seller also holds data on patients in Jakarta and Bandung.
Link(s) :
https://cybleinc.com/2020/06/21/230k-indonesian-covid-19-patients-personal-information-leaked-in-the-darknet/
https://www.thejakartapost.com/news/2020/06/20/hacker-allegedly-breaches-govt-database-on-covid-19-test-takers.html

 

Useful ressources

Type of resources: The French Association for Health Information System (APSSIS) identifies various cyberattacks targeting healthcare institutions during the COVID-19 pandemic
Target: General public
Publication date: 06/08/2020
Description: This overview mainly presents phishing attacks, such as fraudulent e-mails, fake media scams, fraudulent bank transfer orders or massive spam campaigns. The APSSIS also warns about the condition to implement telework, which can be a vector of attack if workstations are poorly secured.
Link(s):
https://www.apssis.com/actualite-ssi/429/covid-19-et-les-quarante-voleurs.htm

 

Other News

Country: Singapore
Subject: The government delivers mobile devices to seniors to track COVID-19 proven cases
Publication date: 06/29/2020
Description: These Bluetooth-based wearables have a unique QR code, which allows the exchange of information with other devices and smartphones running the « Trace Together » digital tracing app. In the event of prolonged contact with a COVID-19 proven case, users will be alerted by the Ministry of Health, data will be extracted from the device and given to an authorized agent.
Link(s):
https://www.zdnet.com/article/singapore-issues-covid-19-contact-tracing-wearables-to-vulnerable-seniors/

 

Country: France
Subject: The Government provides an update on the launch of StopCovid
Publication date: 06/23/2020
Description: Faced with the application’s low downloads (1.9 million users) as well as the low number of notifications issued (14 notifications), the government said it would work on solutions to increase its usage rate, including field surveys. In addition to a low-cost deployment of StopCovid, the government said the application will soon be interoperable with other European solutions through a contact tracing protocol called DESIRE.
Link(s):
https://www.zdnet.fr/actualites/stopcovid-beaucoup-de-bruit-pour-14-notifications-39905641.htm
https://www.economie.gouv.fr/direct-video-conference-presse-sur-application-stopcovid-23-juin#

 

Country: Norway
Subject: Norway suspends its Smittestopp contact tracing application
Publication date: 06/17/2020
Description: This decision was taken after the data protection authority, Datatilsynet, pointed out several significant infringements of privacy. All data that had been collected have been deleted and users will no longer receive notification. The health authorities do not recommend to uninstall the application in order to reactivate it later when a new solution will be implemented.
Link(s):
https://www.numerama.com/politique/631041-la-norvege-suspend-son-stopcovid-national-et-efface-toutes-les-donnees-collectees.html

 

Country: United Kingdom
Subject: London finally turns to Apple’s API and Google for its digital tracing app
Publication date: 06/18/2020
Description: The solution adopted by the government used Bluetooth technology to track the contacts of infected individuals but it could not recognize Apple’s smartphones. Indeed, the firm’s iOS prevent third-party applications from running in the background and broadcasting Bluetooth signals. The app was initially expected to be available in mid-May after a test on the Isle of Wight. The new one is expected by this fall.
Link(s): https://www.bbc.com/news/technology-53095336

 

Country: Japan
Subject: Few days after its launch, the Japanese digital tracing app has been halted following a bug
Publication date: 06/23/2020
Description: Individuals who has been tested positive are assigned treatment numbers that the application uses to confirm they are infected. However, the app also accepted reference numbers not issued by the Ministry of Health and other public authorities. This issue apparently did not generate false alerts, as individuals entering non-existent treatment numbers are not considered by the application to have been tested positive.
Link(s):
https://www.japantimes.co.jp/news/2020/06/23/national/bugs-japan-virus-contact-tracing-app/

 

Back to the previous newsletters of CYBERSECURITY WATCH :