COVID-19: CYBERSECURITY WATCH #19 – September 10, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on the LEMON_DUCK cryptominer

Attack: LEMON_DUCK cryptominer distributed in phishing campaigns using COVID-19 lures
Target: Companies
Publication date: 08/25/2020


Attackers are taking advantage of the global COVID-19 epidemic to carry out an email phishing campaign. The content is primarily Coronavirus themed and has a malicious attachment (Microsoft Word document). When victims open the attachment, a malicious payload is deployed to the system via CVE-2017-8570.


At first, like a worm, LEMON_DUCK will retrieve the list of Outlook contacts and send them a tricked e-mail that looks the same as the one initially sent (the subject and content are automatically generated by the malware code).

Once the target is infected, if it is vulnerable to CVE-2020-0796 (SMBGHOST), the malware will fix the flaw, in particular to prevent other attackers from using it.

The malware then generates random IP addresses and scans them on the internal network. It is interested in ports 445/TCP (SMB), 1433/TCP (MS-SQL server) or 65529/TCP, looking for a machine vulnerable to the CVE-2017-0144 (ETERNAL BLUE), CVE-2020-0796 (SMBGHOST) or having a MS-SQL service, to achieve a brute force on authentication

The malware also creates “.lnk” type shortcuts (CVE-2017-8464) and malicious DLLs on connected removable media and accessible network drives. These different techniques aim to propagate on the internal network.

Secondly, the malware deploys a cryptocurrency miner in memory, leaving no traces on the files system.


In recent weeks, the malware has had the ability to spread to Linux systems.

For this, it will scan the internal network for the SSH service (port 22/TCP) open and perform a dictionary attack on the root account. If successful, the malware adds persistence to the system via a scheduled (cron) task. It then tries to spread to other internal servers by analyzing the system’s “known hosts” and repeating its procedure.

Finally, the malware searches for traces of running cryptocurrency miners in order to stop them to be the only one running on the machine.

Other systems

The malware also has a module allowing the detection of clusters of Hadoop servers through a scan of the service accessible on port 8088/TCP. It then tries to create a new application instance via a specially crafted “POST” request. If no authentication is required then the malware can execute malicious code in the instance.

Likewise, the malware searches for a REDIS server by scanning port 6379/TCP. If the latter is not configured correctly, it injects malicious code into the database and creates persistence via a scheduled task.

The malware developers are very active and regularly deploy new versions. This allows them in particular to bypass certain detection techniques but also to take on new tools.



Attack: Cybercriminals target teleworkers in voice phishing campaigns (vishing)
Method: Social engineering/Vishing
Target: Private entities
Publication date: 08/20/2020
Description: As the COVID-19 pandemic democratized teleworking, cybercriminals gathered information about the employees of the targeted companies before calling them directly, impersonating their colleagues or an IT support technician. Then, they convinced them to provide their login credentials to the company’s VPN directly or through a fake login page. Once acquired, cybercriminals can launch new attacks.


Attack: Healthcare organization victim of ransomware REvil
Method: Ransomware/Leak disclosure  
Target: Valley Health Systems
Publication date: 08/27/2020
Description: During a monitoring process, Cyble Research Team have identified that operators of the REvil ransomware had disclosed confidential patient data such as medical scan reports and medical prescription on the Internet. Cybercriminals threatened to release more data if the hospital group did not pay a ransom. In this period of COVID-19, attacks against medical centers are increasing, such as the United Memorial Medical Center in Houston, which have recently been targeted by Maze ransomware.


Attack: Transparent Tribe group responsible for a malicious copy of the Indian digital tracking application
Method: Phishing/Malicious application
Target: Public/Military personnel in India
Publication date: 08/26/2020
Description: Through phishing campaigns on social networks and by text message, cybercriminals distributed an APK file imitating the contact tracking application “Aarogya Setu” and distributing a modified version of the AhMyth malware. The latter allows spying on the compromised device by accessing its files, text message exchanges, location, microphone, and includes new features to facilitate data extraction.


Attack: A phishing campaign exploits COVID-19 to spread the RAT Agent Tesla
Method: Phishing/malware
Target: Companies
Publication date: 08/27/2020
Description: In light of new health regulations concerning the wearing of masks in companies, cybercriminals have carried phishing campaigns claiming to provide facemasks and forehead thermometers to distribute RAT Agent Tesla. The cybercriminals impersonated chemical manufacturers and import/export businesses in e-mails containing an attachment named “Supplier-Face Mask Forehead Thermometer.pdf.gz,” which is actually a compressed executable. Once the victim opens it, the malware runs on the infected machine.


Attack: The French National Cybersecurity Agency (ANSSI) warns of phishing campaigns exploiting COVID-19 to spread the Emotet Trojan horse
Method: Phishing
Target: Public and private entities
Publication date: 09/07/2020
Description: Distributed via phishing campaigns notably exploiting COVID-19 lures, Emotet allows cybercriminals to recover passwords and the contents of mailboxes. Cybercriminals can then use this information to create new spear-phishing campaigns or exploit an e-mail thread hijacking technique to increase their credibility and further spread the malware within the infected network. 



Attack: Cybercriminals posing as French Health Insurance and swindle policyholders
Method: Phishing
Publication date: 08/18/2020
Description: The French Health Insurance has set up the “Contact Covid” system to prevent the spread of the virus and allow health investigators to contact people who have been tested positive. The French Health Insurance warned the insured that cybercriminals could take advantage of it, usurp the identity of the investigators and swindle them by asking them for personal and banking information under the pretext of sending a kit or a test.


Other News

Country: International
Subject: Apple and Google Integrate COVID-19 Exposure Notifications Directly into Smartphones
Publication date: 09/02/2020
Description: In the latest version of Android and iOS (13.7) operating systems, users will now be able to receive COVID-19 Exposure Notifications without downloading the digital tracking applications developed by local health authorities. This feature is currently only available for IPhone in a limited number of U.S. states.


Country: Japan
Subject: Japan Airlines experiments contactless tech check-in at Tokyo Haneda Airport
Publication date: 08/29/2020
Description: To reduce the spread of the virus, Japan Airlines is testing new contactless and self-service check-in machines. Equipped with motion sensors and infrared technology that captures the movement of a finger within 3 centimeters away from the screen, these kiosks allow users not to touch the screen. They are currently being tested until September 15, 2020.


Country: France
Subject: The French Data Protection Authority (CNIL) closes the formal notice addressed to the Ministry for Solidarity and Health regarding the processing of personal data by the StopCovid application
Publication date: 09/04/2020
Description: The CNIL considers that the application complies with the GDPR after several shortcomings relating to the processing of personal data have been addressed. Indeed, the application now filters the contact history directly on the phone, Google’s reCaptcha system has been removed and the ministry has completed the information provided to users, the clauses of its subcontracting contract with INRIA and the impact analysis relating to data protection.


Country: International
Subject: Fitbit will soon be able to detect COVID-19: results of the first conclusions of the “Fitbit COVID-19” study
Publication date: 08/19/2020
Description: Last May, Fitbit’s research team created an algorithm to detect the physiological signs of COVID-19 and conducted a 100,000-user experiment across the United States and Canada in which more than 1,000 positive cases have been detected. The study suggests that Fitbit is particularly capable of analyzing changes in respiratory and heart rates when the patient is affected. Further research will be focused on reporting the effects of the disease before more noticeable symptoms appear.


Back to the previous newsletter of CYBERSECURITY WATCH !