COVID-19: CYBERSECURITY WATCH #20 – September 24, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the Sepulcher malware

Attack: Chinese cybercriminals target WHO and Europe via COVID-19-themed phishing campaigns
Method: Phishing campaigns spreading the “Sepulcher” malware
Target: European diplomatic and legislative entities
Publication date: 09/02/2020
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic

Description

The Chinese group APT (Advanced Persistent Threat) TA413 took advantage of the COVID-19 global pandemic to carry out an e-mail phishing campaign targeting mainly European diplomatic and legislative entities, non-profit organizations and global economic organizations. The contents of these e-mails mimicked the World Health Organization (WHO) guidelines on COVID-19 preparation in the form of an attachment (Microsoft Word RTF) that, when executed, installed the Sepulcher malware.

Modus Operandi

First, the attachment named “Covdi.rtf” is executed. It exploits a vulnerability in the Microsoft equation editor and installs a malicious RTF object in the form of a Windows meta file (WMF) in the Windows directory “%\AppData\Local\Temp\wd4sx.wmf”. Once installed and executed, the WMF file enables delivery and installation of the final Sepulcher malware. Here, the WMF file is the loader of the real malware, i.e. it is responsible for importing and executing it on the system.

In a second step, the WMF file installs a temporary “OSEB979.tmp” dropper file, which then installs the final Sepulcher payload in the “credential.dll” file in the “%\AppData\Roaming\Identities\Credential.dll” directory. In order to benefit from system persistence, the system will create a scheduled task named “lemp” that uses the rundll32.exe executable to run the Sepulcher payload and calls the powershell export function “GetObjectCount” on an hourly basis.

schtasks /create /tr “rundll32.exe %APPDATA%\Identities\Credential.dll,GetObjectCount” /tn “lemp” /sc HOURLY

Figure 1: Planned task responsible for execution and persistence.

The malware configuration is stored in the Windows registry at “HKEY_CURRENT_USER\Microsoft\WAB\Resources”. There are three keys, “Credentials”, “Property” and “Security”, which correspond to the three encrypted C2 (command & control) servers used by the malware. Once these keys have been decrypted, we can see that the malware communicates to its C2 via the IP address 107.151.194.187 using ports 80, 443 and 8080.

The malware can be given a set of commands, including the ability to collect data from the infected system, spawn a reverse command shell, and manipulate files (read/write). Sepulcher malware usually seeks for all connected drives on the machine and is able to collect every data like files, running processes and Windows services.

IOCs

Proofpoint has published IOCs to identify this malware at the end of its blog post.

 

Threats

Attack: In Florida, a teenager launches several DDoS attacks making inaccessible the distance learning platform set up during the health crisis
Method: DDoS attack
Target: Distance learning platform
Publication date: 09/03/2020
Description: David Oliveros orchestrated eight simultaneous distributed denial of service attacks designed to overwhelm Miami-Dade County school networks and the My School Online distance education platform. The teenager said he used an online application to carry out his attacks. Of the 12 DDoS attacks that have been reported – eight of which the teen reportedly carried out – the others were reportedly carried out from abroad.
Link(s):
https://www.local10.com/news/local/2020/09/03/student-arrested-in-connection-with-cyber-attacks-against-miami-dade-public-schools/

 

Attack: Spanish laboratories working on COVID-19 vaccine targeted by Chinese cybercriminals Method: Spying
Target: Spanish research laboratories
Publication date: 09/18/2020
Description: The head of Spain’s National Intelligence Centre (CNI), Paz Esteban, said cyberattacks from China had led to the theft of medical data from research laboratories. The data have been later commercialized.
Link(s):
https://elpais.com/sociedad/2020-09-17/hackers-chinos-robaron-informacion-de-la-vacuna-espanola-para-la-covid.html

 

Attack: Ransomware against Düsseldorf University Hospital leads to patient’s death
Method: Ransomware
Target: Düsseldorf University Hospital
Publication date: 09/17/2020
Description: In the context of COVID-19, healthcare institutions are particularly targeted by cyberattacks. Recently, a ransomware infected more than 30 internal servers at Düsseldorf University Hospital, paralyzing some healthcare machines. Many patients had to be transferred to other institutions, including a seriously ill patient who did not survive the transfer. The police have launched an investigation to determine the degree of involvement of the cyberattack in this incident.
Link(s): https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/UKDuesseldorf_170920.html

 

Frauds

Attack: Cybercriminals take control of Indian Prime Minister’s Twitter account and launch a fake appeal for donations exploiting the COVID-19 pandemic
Method: Identity fraud
Surface/Application:  Twitter account
Publication date: 09/04/2020
Description: Cybercriminals have been soliciting charitable donations in cryptocurrency. These messages have since been deleted. This incident comes after last July’s hacking of the Twitter accounts of several public figures, including those of Barack Obama, Elon Musk and Bill Gates. Twitter said it was conducting an investigation to determine how the cybercriminals managed this hijacking.
Link(s):
https://timesofindia.indiatimes.com/india/pm-modis-twitter-account-linked-to-personal-site-hacked-restored/articleshow/77920860.cms

 

Attack: Cybercriminals are circulating a false investigation report on COVID-19 and usurping the identity of reserve officers
Method: Misinformation  
Surface/Application:  Fraudulent investigation report
Publication date: 09/04/2020
Description: Since August, several French and foreign sites have been posting a French “investigation report by a group of reserve officers” on COVID-19. This report aims to shed light on the causes of the pandemic and the protective measures to be taken. However, the AFP and the National Federation of Officers Reservists have underlined that it is a false report with many scientific inconsistencies.
Link(s):
https://factuel.afp.com/ce-faux-rapport-dun-groupe-dofficiers-de-reserve-sur-le-covid-19-contient-des-fausses-informations

 

Useful resources

Type of resources: The FDPA publishes its quarterly opinion on the conditions of data processing in COVID-19 applications
Target: All audiences
Publication date: 09/14/2020
Description: The FDPA has noted that improvements have been made in terms of data protection, both on the SI-DEP and Contact COVID files. Nevertheless, certain guarantees remain insufficient, such as the security of data transmission between certain organizations or the delivery of information to the persons concerned. The FDPA has announced a second phase of controls before the end of September 2020. The results will be communicated in the next public notice.
Link(s):
https://www.cnil.fr/fr/la-cnil-rend-public-son-avis-trimestriel-adresse-au-parlement-sur-les-conditions-de-mise-en-oeuvre

 

Other News

Country: France
Subject: The French Health Insurance erroneously communicated the positive status to COVID-19 of three persons
Publication date: 09/18/2020
Description: An insured person mistakenly received three letters on his Ameli personal account that disclosed the contact details and COVID-19 test result of each of the recipients. This error was the result of improper handling by an agent when loading e-mail destined for the insured. The GDPR will notify to the FDPA and a communication with each person concerned.
Link(s):
https://cyberguerre.numerama.com/7678-lassurance-maladie-a-communique-par-erreur-le-statut-covid-de-3-personnes.html

 

Country: Japan
Subject: Fujitsu and Tokyo’s Shinagawa Hospital will use Artificial Intelligence to diagnose more effectively severe cases of COVID-19
Publication date: 09/03/2020
Description: The data collected from previous scans of COVID-19 patients will be used to train AI to detect abnormal signs in the lungs. According to Fujitsu, using AI to analyze these scans will automate the process. This technology will allow early detection of COVID-19, even when the possibility of infection is determined to be low during the initial examinations.
Link(s):
https://www.zdnet.com/article/fujitsu-and-tokyo-shinagawa-hospital-to-develop-ai-for-covid-19-pneumonia-diagnosis/

 

Country: France
Subject: The French department of Loir-et-Cher uses a “connected aerosol” to disinfect schools
Publication date: 09/19/2020
Description: When the aerosol – the virucidal CleanRwith – is dispensed, the cleaning agent scans the QR-code in the classroom, which generates a traceability certificate. The information is thus fed back in real time via a blockchain, to which the Departmental Council of Loir-et-Cher has access, as well as the principal and the manager of the colleges.
Link(s):
https://www.la-croix.com/France/Coronavirus-Loir-Cher-mise-technologie-desinfecter-salles-classe-2020-09-19-1201114858

 

Country: United Kingdom (Wales)
Subject: Details of over 18,000 people who tested positive for COVID-19 were erroneously published online by the Welsh Department of Health
Publication date: 09/13/2020
Description: Due to human error, the data of 18,105 Welsh residents who tested positive for COVID-19 was mistakenly uploaded to a public server where it could be viewed by anyone using the site. After being alerted, the Department deleted the data.
Link(s): https://phw.nhs.wales/news/public-health-wales-statement-on-data-breach/

 

Back to the previous newsletter of CYBERSECURITY WATCH !