COVID-19: CYBERSECURITY WATCH #22 – October 22, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on Webex vulnerability CVE-2020-3535

Attack: Cisco fixes several vulnerabilities affecting its Webex online conferencing platform
Score CVSS: 7,8
Target: Cisco Webex Teams client for Windows
Publication date: 10/07/2020
Link(s):
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-dll-drsnH5AN

Description

Since the beginning of the COVID-19 pandemic, our working methods have been evolving to avoid unnecessary human contact and the practice of teleworking has been strongly democratized, when the company’s activity allows it.

There is therefore a strong market growth for tools that enable remote working, such as technologies for remote access to internal resources (VPN), videoconferencing tools and internal communication tools. In the core of companies’ activities, these are now critical vulnerable elements, prime targets for cybercriminals. Cisco which is one of the American leaders in the networking technology market, has taking over the company Webex in 2007, a company specialized in videoconferencing.

It especially offers the Webex Teams tool, which enables team collaboration through messaging, video conferencing, shared notes, calendar and file sharing.

Modus operandi

This vulnerability (CVE-2020-3535) may allow an authenticated attacker on the system to load a malicious shared library into the Webex Teams software.

Indeed, the incorrect handling of directory paths by the DLL loader (Dynamic-Link Library) at run time, allows a malicious DLL that has been placed in a specific directory of the system by the attacker to be executed at launch.

This malicious DLL will therefore be executed with the rights of the user who launched Webex Teams, so a privilege escalation is then possible.

Cisco has published software updates that address this vulnerability.

 

Threats

Attack: An unsecured AWS database exposes medical records of thousands of patients at an Indian medical laboratory
Method: Data Leak
Target: Dr Lal PathLabs’ patients
Publication date: 10/13/2020
Description: Due to a configuration issue, the database of Dr. Lal Path Labs, which provides COVID-19 diagnostic tests, remained public for more than a month. The 50 GB of patient data on display included COVID-19 test results as well as patient names and addresses. Discovered by cybersecurity expert Sami Toivonen, the leak has been patched by the laboratory within a few hours.
Link(s):
https://www.healthcareinfosecurity.com/unsecured-aws-database-left-patient-data-exposed-a-15163

 

Attack: The XDSpy APT (Advanced Persistent Threat) group operated spear-phishing campaigns notably exploiting COVID-19 to spread the XDDown malware.
Method: Spear-phishing campaign
Target: Governmental and private entities in Eastern Europe and the Balkans
Publication date: 10/02/2020
Description: Active since 2011, this APT group has recently used COVID-19 lures to trick its victims and steal confidential information. In February 2020, XDSpy impersonated the Belarusian Republican Scientific and Practical Center for Pulmonology and Tuberculosis to target the Belarusian Ministry of Industry via fraudulent e-mails containing a malicious attachment. In September, a similar campaign targeted Russian-speaking targets.
Link(s):
https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/

 

Attack: Cybercriminals exploit Donald Trump’s positive COVID-19 diagnosis to spread the Bazar  backdoor ‘s loader
Method: Phishing campaign
Target: U.S. and Canadian organizations
Publication date: 10/07/2020
Description: The fraudulent e-mails claim to provide information about the American President’s medical condition to trick their targets into clicking on a link redirecting them to a malicious Excel document. Once opened, the document downloads the BazarLoader backdoor, designed to deploy additional malware and steal sensitive data from targeted organizations. Find our focus on BazarLoader presented on a previous cybersecurity watch newsletter here
Link(s):
https://twitter.com/threatinsight/status/1313860463495704578 https://www.cyberscoop.com/trump-coronavirus-sickness-hacking-virus/

 

Frauds

Attack: FBI Warning note on charity fraud related to COVID-19
Method: Phishing campaign
Surface/Application: E-mail
Publication date: 10/14/2020
Description: After an upsurge in phishing campaigns with COVID-19 lures, cybercriminals are posing as charities to defraud their victims and spread malware via fraudulent e-mails. In response, the FBI has released a series of tips to prevent these frauds.
Link(s):
https://www.fbi.gov/news/pressrel/press-releases/fbi-warns-of-potential-charity-fraud-associated-with-the-covid-19-pandemic
https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/charity-and-disaster-fraud

 

Attack: Cyber criminals impersonate the Internal Revenue Service (IRS) to steal personal data
Method: Phishing campaign
Surface/Application: E-mail
Publication date: 10/07/2020
Description: Cybercriminals have impersonated the IRS to inform victims of an update on COVID-19’s relief funds. Victims have been prompted to click on a link redirecting to a SharePoint form in order to obtain e-mail identification information and other personal data. According to Armorblox, cybercriminals compromised and then exploited an employee’s SharePoint account to bypass Microsoft 365 security mechanisms.
Link(s):
https://www.armorblox.com/blog/blox-tales-irs-covid-relief-phishing/
https://www.techrepublic.com/article/phishing-attack-spoofs-irs-covid-19-relief-to-steal-personal-data/  

 

Useful resources

Type of resources: The French Data Protection Authority (CNIL) publishes its recommendations for establishments collecting their customer’s data for contact tracing efforts
Target: Restaurants, cafés and their customers
Publication date: 10/07/2020
Description: In maximum alert areas, certain establishments can only open if a registry has been set up to collect customer contact information so that they can be reached if any of them are contaminated. The CNIL thus reminds that only the necessary data (identity and means of contact) must be collected, that it must be stored securely for a duration of up to 14 days and that it must only be transmitted to the health authorities, when the latter request it.
Link(s):
https://www.cnil.fr/fr/covid-19-et-les-cahiers-de-rappel-les-recommandations-de-la-cnil
https://solidarites-sante.gouv.fr/actualites/presse/communiques-de-presse/article/renforcement-protocole-sanitaire-restaurants-zones-d-alerte-maximale

 

Type of resources: Europol publishes its annual internet organized crime threat assessment
Target: Private and public sectors
Publication date: 10/05/202
Description: This Europol report presents a threat assessment of internet organized crime using a combination of law enforcement and private sector insights. This report especially points out the impact of COVID-19 as a factor of the changing threat and highlights the exploitation of new modus operandi by cybercriminals in the midst of this pandemic.
Link(s):
https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2020

 

Other News

Country: France
Subject: A new version of the StopCovid application entitled “All Anti-Covid” is launched
Publication date: 10/14/2020
Description: Acknowledging the failure of StopCovid, French President Emmanuel Macron announced the launch of a new version of the application on October 22. Renamed “Tous Anti-Covid”, this update is expected to incorporate new features and provide additional information on the barrier gestures, the virus circulation in the territory and the testing centers.
Link(s):
https://www.gouvernement.fr/info-coronavirus/stopcovid
https://www.frandroid.com/android/applications/784596_stopcovid-devient-tous-anti-covid-ce-quil-faut-savoir-sur-la-nouvelle-application

 

Country: United Kingdom
Subject: Overfilled Excel spreadsheet delays tracing contact cases of 16,000 English COVID-19 positive cases
Publication date: 10/05/2020
Description: Due to a technical glitch related to an old file format (.xls) used by Excel, the British government could not identify 16,000 positive COVID-19 cases between September 25 and October 2, 2020. It happened because the version of Excel used allows only a limited number of columns in its spreadsheets. Although the 16,000 positive cases were eventually reporded, this incident delayed the tracing of contact cases.
Link(s):
https://www.bbc.com/news/uk-54412581
https://www.numerama.com/politique/653217-16-000-anglais-malades-du-covid-ont-ete-oublies-a-cause-dune-feuille-excel-trop-pleine.html

 

Country: International
Subject: Nokia launches temperature detection system for access control
Publication date: 10/15/2020
Description: This thermal solution based on advanced analysis allows to identify the symptoms of COVID-19 and to monitor mask compliance in public and private places such as businesses. Nokia uses thermal cameras, centralized management and analyses based on Cloud technologies. Already tested in Nokia Chennai’s factory, this solution has been able to monitor temperatures and ensure supply resilience and business continuity.
Link(s):
https://www.nokia.com/about-us/news/releases/2020/10/15/nokia-advances-fight-against-covid-19-with-analytics-based-thermal-detection-solution/

 

Country: International
Subject: Google Maps improves its business information system
Publication date: 10/15/2020
Description: While Google Maps already provided information on attendance trends for referenced establishments, this new feature allows users to view their occupancy rates in real time. In order to refine this system, Google has modified its algorithm to collect only the most recent user location data when the previous system also collected older data.
Link(s):
https://blog.google/products/maps/maps101-popular-times-and-live-busyness-information

 

 

Back to the previous newsletter of CYBERSECURITY WATCH !