COVID-19: CYBERSECURITY WATCH #21 – October 8, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the Ryuk ransomware 

Attack: Computer networks from several Hospitals of the Universal Health Services shut down by the Ryuk ransomware
Method: Phishing campaign
Target: UHS hospitals in the United States, including those from California, Florida, Texas, Arizona and Washington DC
Publication date: 09/28/2020
Link(s):
https://www.uhsinc.com/statement-from-universal-health-services/
https://threatpost.com/universal-health-ransomware-hospitals-nationwide/159604/
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

Description 

Universal Health Services (UHS) is a Fortune 500 company, having about 400 hospitals in the United States. An employee from one of the UHS hospitals has noticed some encrypted files with the extension .ryk and the phrase “Shadow of the Universe” on his computer, suggesting that Ryuk ransomware is behind the attack. Healthcare staff have been forced out of the use of computers in this COVID-19 crisis period.

Modus operandi

The Ryuk ransomware is usually delivered by another malware. Generally, the Emotet malware is sent via phishing campaigns. It then delivers the TrickBot malware, which collects information and offers the possibility for attackers, through a reverse shell, to launch to Ryuk ransomware. It is made of a dropper creating an executable file containing the real payload of the ransomware.

This dropper calls the IsWow64Process function that determines if the system is 32 bits or 64 bits, in order to deliver the corresponding payload. Two batch scripts are then executed to deactivate a maximum of system protections. It then ciphers a set of files which are non-critical for the system, that is to say it avoids some system directories and some extensions (.exe and .dll for example). The encryption suite used is AES 256 bits. A key is generated for each file. It is stored at the end of the  file and then encrypted by using RSA 4096 bits with the private key of the cybercriminals, which is shipped in the executable.

After having encrypted the main disk drive, Ryuk attacks all the other drives it can find, using the function GetLogicalDrives. It also attacks all the devices accessible via the network, using the function GetIpNetTable. This ransomware is used by cybercriminals to target specific firms and is not used as the others such as Wannacry.

 

Threats

Attack: eResearchTechnology (ERT), a software company supporting clinical trials against COVID-19 targeted by ransomware
Method: Data theft
Target: ERT computer networks / Patient Data
Publication date: 10/03/2020
Description: A ransomware program has touched the ERT computer networks. It blocked confidential patient data and caused delays in the COVID-19 vaccine clinical trials. The Philadelphia-based company was able to shut down its system in time without specifying the extent of the damage. One of ERT’s clients, IQVIA, a contract research organization helping to manage the COVID-19 vaccine trial for AstraZeneca Pharmaceuticals, has also been targeted. IQVIA was still able to limit losses by backing up its data.
Link(s):
https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html

 

Attack: Threatened by disclosure of its data, University of New Jersey Hospital pays 670,000 dollars ransom
Method: Ransomware/Data Leakage
Target: Computer network
Publication date: 10/03/2020
Description: To prevent the publishing of 240 GB of stolen data, the University Hospital New Jersey paid 61.9 bitcoins in ransom to cybercriminals. The hospital has been hit by “SunCrypt” ransomware that infiltrated its network, stole its unencrypted files and then encrypted all of its data. After releasing more than 48,000 documents, the hospital finally paid in order to protect the rest of its patient data.
Link(s):
https://www.bleepingcomputer.com/news/security/new-jersey-hospital-paid-ransomware-gang-670k-to-prevent-data-leak/

 

Attack: India’s COVID-19 surveillance Tool exposes millions of user data
Method: Data theft
Target: Users of the Uttar Pradesh COVID-19 Monitoring Platform
Publication date: 09/23/2020
Description: VPNnentor researchers have discovered significant vulnerabilities in this surveillance tool for COVID-19 patients exposing data from 8 million Indian citizens. The major vulnerabilities allowed the researchers to gain access to an unsecured git repository, the admin dashboard and an exposed web index of CSV files containing daily patient reports. The researchers claimed that the platform remained vulnerable from August to September 2020.
Link(s):
https://www.vpnmentor.com/blog/report-india-covid-leak/   

 

Frauds

Attack: Microsoft removes 18 Azure Active Directory applications used by the Gadolinium Group to conduct phishing campaigns with COVID-19 lures
Method: Spear-phishing campaigns
Surface/Application: Messaging/PowerPoint files
Publication date: 09/24/2020
Description: After analyzing the evolving attack techniques of the Chinese-sponsored APT Gadolinium group, the Microsoft Threat Intelligence Center (MSTIC) took proactive steps to prevent these cybercriminals from exploiting their cloud infrastructure by suspending 18 Azure AD applications. These applications were part of a set of command and control and post-operational tools based on Empire.
Link(s):
https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/

 

Attack: Cybercriminals use Facebook grants to swindle companies affected by the epidemic
Method: Phishing campaign
Surface/Application: Messaging
Publication date: 09/28/2020
Description: Facebook announced 100 million dollars in grants for SMEs affected by the COVID-19 pandemic. 30,000 companies located in the regions where Facebook sets up are eligible. The cybercriminals took advantage of the audience of the American television channel CNBC to broadcast an article proposing Facebook’s offer. Victims have been induced to click on a fraudulent link and then fill in their Facebook account information.
Link(s):
https://www.kaspersky.com/blog/facebook-grants/37181/
https://www.facebook.com/business/small-business/grants

 

Attack: A UK firm sanctioned for sending text messages promoting hydroalcoholic gels not effective against COVID-19
Method: Scam / Data Theft
Surface/Application: Text messages 
Publication date: 09/24/2020
Description: The UK Information Commissioner’s Office (ICO) has fined Digital Growth Experts Limited (DGEL) 60,000 pound for sending spam SMS messages without the victims’ permission. The SMS messages were sent via, Voodoo SMS a bulk SMS message platform and promoted hand-sanitizing products, which were not effective against COVID-19.
Link(s):
https://ico.org.uk/action-weve-taken/enforcement/digital-growth-experts-limited-mpn/
https://www.zdnet.com/article/ico-fines-profiteering-uk-firm-for-touting-coronavirus-products-over-spam-texts/

 

Useful resources

Type of resources: US Cybersecurity and Infrastructure Security Agency (CISA) guide to Teleworking
Target: Managers and teleworkers
Publication date: 10/02/2020
Description: As remote work becomes a more widespread practice, CISA provides recommendations to help organizations ensure and enhance their cybersecurity. This toolkit is a collection of recommendations, quick tips, and links to more in-depth resources for employees. It highlights the telework security ecosystem according to three-work point of view: the manager, the security professional and the employee.
Link(s):
https://www.cisa.gov/sites/default/files/publications/20-02019b%20-%20Telework_Essentials-08272020-508v2.pdf

 

Other News

Country: United States  
Subject: Walmart delivers by drones test kits to detect COVID-19
Publication date: 10/05/2020
Description: The U.S. distributor announced the launch of delivery trials of COVID-19 self-collection kits in partnership with Quest Diagnostics and DroneUp. These kits will be deposited free of charge in customers’ gardens and once the test is completed, customers will be able to return their samples via a prepaid label included in the kit. This experience includes customers located 1.6 km from the distribution center and in the Las Vegas area.
Link(s):
https://siecledigital.fr/2020/10/05/walmart-utilise-des-drones-pour-livrer-des-kits-de-depistage-au-covid-19/

 

Country: United States  
Subject: Google Maps will show the COVID-19 pandemic progression
Publication date: 09/24/2020
Description: Google Maps will soon integrate an overlay capable of mapping the progression of the pandemic. A “COVID” tab will be available on the application (iOS and Android) and will show the average number of positive cases in each region over a seven-day period. Depending on the rate of cases, a color code has been set up ranging from green, orange to red. The data used will come from the Johns Hopkins COVID-19 dashboard, the New York Times and Wikipedia.
Link(s):
https://www.presse-citron.net/google-maps-devrait-cartographier-la-pandemie-de-covid-19-dici-la-fin-de-la-semaine/

 

Back to the previous newsletter of CYBERSECURITY WATCH !