COVID-19: CYBERSECURITY WATCH #15 – July 21, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on Bazar loader and backdoor 

Attack: The new loader and backdoor Bazar takes advantage of the COVID-19 pandemic to deploy malware and steal sensitive data
Process: Phishing campaign
Target: Private entities in the United States and Europe, including the medical and industrial sectors
Publication date: 07/16/2020
Link(s):
https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles  

Description:

Bazar (also known as Team9) is a new family of malware that first appeared in April 2020 and has been on an ongoing evolution. This malware might be a successor to TrickBot like Anchor. As Bazaar has been in active development, campaigns have disappeared and reappeared later with a new version of the malware.

Bazar uses the Twilio SendGrid e-mail platform and evades traditional security software by abusing the trust of certification authorities, just like the previous Trickbot loaders. This loader, however, uses EmerDNS domains (.bazar, hence the name) for command and control and is heavily obfuscated. It also uses anti-scan techniques to counteract automated and manual analyses and loads the encrypted backdoor only into memory.

Process:

Bazar is deployed through phishing campaigns involving COVID-19 lures, customer complaints or employee salary reports. Bazar e-mails contain links to previews of Google Docs documents whereas common campaigns usually use malicious attachments to launch Microsoft Office macros.

When users access Google Docs, they are prompted to download the file. In order to encourage the user to download the document, the page states that the preview is not available.

The downloaded file is a double-extended executable (such as PreviewReport.DOC.exe or Preview.PDF.exe) using the Word and PDF icons.Since Windows does not display the default file extensions, most users will see “PreviewReport.DOC” or “Preview.PDF” and open them as legitimate Word and PDF documents.

After a victim launches the downloaded file, the loader goes into standby mode for a short period, and then connects to the Command and Control (C&C) servers to register and download the malicious load.

Bazaar is then used to deploy additional malware, ransom software, and ultimately steal sensitive data from organizations.

 

Threats

Attack: The APT29 group is accused of stealing intellectual property related to the COVID-19 from universities and pharmaceutical businesses in the US, the UK and Canada
Method: “WellMess” and “WellMail” malware
Target: Pharmaceutical businesses, academic institutions and universities
Publication date: 07/16/2020
Description: According to the three countries’ security agencies, the hacking group APT29 linked to the Russian intelligence services attempted to break into the computer network of universities and research centers working on vaccines against COVID-19. Also known as “Cozy Bear”, the group used custom malware to target VPNs and conducted spear-phishing campaigns to obtain authentication credentials. The IOCs are available as an appendix to the NCSC publication.
Link(s):
https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development  

 

Frauds

Attack: Cybercriminals mimic “impôts.gouv” in a phishing campaign using a deconfinement grant as a lure
Method: Phishing/Identity theft
Surface/Application: Mailbox
Publication date: 07/06/2020
Description: Attackers spoofed the Public Finances general Directorate’ identity to steal confidential data. By sending a text message from “ImpotFrance” containing a fake file reference number, the victims were prompted to click on a Bitly link leading to a fraudulent website. Once opened, a form is displayed to apply for a grant. Victims are encouraged to fill in their personal information and their bank details.
Link(s):
https://cyberguerre.numerama.com/6031-bourse-de-deconfinement-ne-cliquez-pas-sur-ce-phishing-par-sms-qui-se-fait-passer-pour-les-impots.html#

 

Attack: Cybercriminals mimic officials from the U.S. Federal Trade Commission (FTC) in a COVID-19 themed phishing campaign
Method: Phishing
Surface/Application: Mailbox
Publication date: 06/30/2020
Description: The fraudulent e-mails claim to provide financial aid related to the health crisis to trick victims into providing their personal and financial information. The FTC provides a link to an informative page on phishing prevention and reminds that it never ask for this type of information by e-mail, SMS or through social networks.
Link(s):
https://www.consumer.ftc.gov/blog/2020/06/fake-emails-about-fake-money-fake-covid-19-fund

 

Attack: Phishing campaign mimics Zoom notifications to steal Microsoft Office 365 credentials of employees
Method: Phishing campaign
Surface/Application: Microsoft Office 365
Publication date: 07/08/2020
Description: This phishing campaign impersonates Zoom’s automated notifications to steal Microsoft Office 365 credentials. Attackers prompted victims into clicking on a fraudulent link in order to reactivate their Zoom account. This link reroutes them to a fake Microsoft login page hosted on another domain.
Link(s):
https://abnormalsecurity.com/blog/abnormal-attack-stories-spoofed-zoom-attack/

 

Attack: A phishing campaign impersonate the U.S. Internal Revenue Service (IRS) to steal Microsoft accounts credentials
Method: Phishing
Surface/Application: Mailbox
Publication date: 07/09/2020
Description: The fraudulent e-mails pretend that their targets can get tax relief due to COVID-19 to encourage them to open an HTML attachment redirecting to a fake Microsoft login website. Once the victim’s credentials are acquired, a PHP script sends them back to the cybercriminals.
Link(s):
https://cofense.com/new-covid19-microsoft-phish-abuse-185-act-steal-credentials/

 

Useful ressources

Type of resources: LinkedIn shares free courses on digital skills to mitigate the economic impact of the COVID-19 pandemic
Target: General public/Public and private entities
Publication date: 06/30/2020
Description: As part of the Global Skill Initiative launched by Microsoft, LinkedIn shares free e-learning courses for the 10 most sought-after jobs on their platforms. Regarding digital skills, the social network provides training to become software developer, to work in Information system departments and to use remote collaboration tools such as Microsoft Teams, Google Drive or Excel Online.
Link(s):
https://blog.linkedin.com/2020/june/30/helping-25-million-job-seekers-get-back-to-work

 

Type of Resources: France’s Fraud and Scam National Task Force publishes a prevention guide on deconfinement and on COVID-19 related threats
Target: Companies/individuals
Publication date: 07/02/2020
Description: The French government services and supervisory authorities have joined forces to create a Task Force to combat fraud in the context of COVID-19. In order to ensure that companies can recover their activities with confidence, this guide helps identify the main frauds related to the health crisis. It contains preventive sheets on the different types of phishing campaigns and on hydroalcoholic gels regulations.
Lien(s) :
https://www.economie.gouv.fr/dgccrf/la-task-force-nationale-de-lutte-contre-les-fraudes-et-escroqueries-se-mobilise-et-propose

 

Type of resources: In the face of widespread teleworking, the NSA provides a guide to secure IPsec VPNs
Target: Network Administrators / Federal and Private Sector
Publication date: 07/01/2020
Description: This guide provides specific guidelines to secure private networks by emphasizing the importance of strong cryptography. It also presents detailed technical documents that provide to network administrators configuration examples for the main market’s equipment.
Link(s): https://twitter.com/NSACyber/status/1278707519658041345

 

Type of resources: The U.K.’s National Cyber Security Centre (NCSC) launches and exercise to help companies secure teleworking
Target: Private entities
Publication date: 07/13/2020
Description: This new « Home and Remote Working” exercise is designed to help companies test their cyber resilience when working from home. It focuses on three key topics: securing employee access to the network, adopting the necessary services for secure remote collaboration and managing an IT incident remotely. This exercise is part of the NCSC’s “Exercise in a Box toolkit”, which helps companies test their response to a cyberattack.
Link(s):
https://www.ncsc.gov.uk/news/businesses-helped-keep-home-workers-secure-with-cyber-exercise

 

Other News

Country: France
Subject: The French Data Protection Authority (CNIL) publishes the results of its controls on the Stop Covid digital tracing app
Publication date: 07/20/2020
Description: The CNIL found that the latest version of the application essentially complies with the GDPR and the legislation on Information technology and freedoms. However, it highlights certain shortcomings regarding the disclosure of information on the operation of the application, the subcontractor’s obligations and the results of the impact assessment on data protection carried out by the Ministry for Solidarity and Health. Consequently, the CNIL has served formal notice on the latter to remedy the situation.
Link(s):
https://www.cnil.fr/fr/application-stopcovid-la-cnil-tire-les-consequences-de-ses-controles

 

Country: International
Subject: Microsoft has taken control of domains used in COVID-19-themed phishing campaigns
Publication date: 07/07/2020
Description: On June 30, Microsoft took legal action to take control of six domains used in phishing campaigns. Operative since December 2019, these Business E-mail Compromise Attacks (BEC) have notably exploited the COVID-19 crisis. These phishing campaigns, which directly target e-mail accounts, redirect employees to fraudulent websites that mimic the Office 365 login page so that they can conduct business transactions on behalf of the company for the benefit of cybercriminals.
Link(s):
https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/
http://www.documentcloud.org/documents/6982601-Microsoft-civil-complaint-against-COVID-19.html   

 

Country: United States
Subject: The Secret Service announces the creation of a Task Force dedicated to the fight against cyber frauds
Publication date: 07/09/2020
Description: The new Cyber Fraud Task Force (CFTF) has been created by merging the Task Forces on electronic crime and financial crime. It aims to prevent, detect and mitigate online financial crime. The Secret Service adds that the CFTF will improve the sharing of resources between its services, a method that has proven effective in the fight against digital frauds exploiting COVID-19.
Link(s):
https://www.secretservice.gov/data/press/releases/2020/20-JUL/Secret-Service-Cyber-Fraud-Task-Force-Press-Release.pdf

 

Back to the previous newsletters of CYBERSECURITY WATCH :