COVID-19: CYBERSECURITY WATCH #23 – November 5, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the Vaggen ransomware

Attack: University of British Columbia in Canada targeted by ransomware distributed in a phishing campaign exploiting fake COVID-19 survey
Method: Phishing campaign
Target: University of British Columbia (UBC)
Publication date: 10/28/2020
Link(s):
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/

Description

As illustrated in our COVID-19 cybersecurity watch newsletters published since March, attackers groups are taking advantage of the fear generated by the virus to reach their goals and install malware on their computers

One of the latest cases is the ransomware attack targeting the University of British Columbia (UBC) reported by MalwareBytes teams. This attack, which involved a fraudulent COVID-19 pandemic survey, aimed at installing new ransomware on the victims’ computers, apparently coded by the attackers themselves.

Modus operandi

In the case of the attack targeting the UBC, attackers sent an e-mail inviting users to complete a fake survey related to the COVID-19 outbreak. However, unlike traditional phishing campaigns, this survey was not sent as an e-mail attachment but had to be downloaded manually by the victims from the Box.net or DropBox exchange platforms (probably in order to avoid antivirus detection and spam protection). Once the document is downloaded and opened, the macro contained in the document downloads two files (Polisen.exe and Killar.exe) from a remote server. The Killer.exe program is executed and then encrypts all the documents on the victim’s computer and add the .VAGGEN extension to them. Developed in GO, the ransomware uses AES-256 encryption (with a 32-bit key) in Galois/Counter Mode (GCM).

Because MalwareBytes experts obtained access to the ransomware via the UBC cybersecurity teams, they were able to analyze its behavior and extract the encryption key (hard-coded in the program). The key “du_tar_mitt_hjart_mina_pengarna0” is a Swedish phrase meaning, “you take my heart my money”.

The UBC cybersecurity teams reported that no user had downloaded the document, most likely due to its deployment via sharing platforms. It is also interesting to note that the ransom amount was also quite low: 80 USD. In the end, the attack did not seem successful since the associated Bitcoin wallet is, to the latest news was empty.

 

Threats

Attack: A joint advisory by the FBI, CISA and the Department of Health and Human Services (HHS) warns of ransomware attacks targeting the U.S. healthcare sector
Method: Phishing campaign
Target: Healthcare institutions and providers in the U.S.
Publication date: 10/28/2020
Description: This advisory warns against phishing campaigns spreading BazarLoader and Trickbot malwares, allowing cybercriminals to download Ryuk and Conti ransomware on the targeted organizations’ network. In the days following this alert, the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network were targeted by such attacks. Find our focus on the Ryuk ransomware presented on a previous cybersecurity watch here.
Link(s):
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
https://securityaffairs.co/wordpress/110175/cyber-crime/brooklyn-vermont-us-hospitals-ransowmare.html

 

Attack: Involved in COVID-19 vaccine research, Dr.Reddy’s Laboratory was the victim of a cyberattack
Method: Data theft
Target: Dr. Reddy’s Laboratory
Publication date: 10/22/2020
Description: The laboratory, which is developing the COVID-19 Sputnik-V vaccine on behalf of Russia, announced that it had been the target of a ransomware attack. As a result, the Dr. Reddy’s affected information systems were isolated and its plants shut down. An investigation was also launched to determine whether personal medical data had been compromised.
Link(s):
https://securityaffairs.co/wordpress/109994/hacking/covid-19-vaccine-manufacturer-hacked.html
https://www.livemint.com/companies/news/dr-reddy-s-provides-update-on-cyber-attack-11603873684385.html

 

Attack: CISA issues an alert on the North Korean cybercriminal group Kimsuky, which notably targeted COVID-19 research to steal confidential information
Method: Social engineering/spear-phishing
Target: Public entities, medical research laboratories, journalists, etc.
Publication date: 10/27/2020
Description: Supposedly linked to the North Korean government, Kimsuky’s main mission is to gather intelligence through spying activities. The group operates spear-phishing campaigns to gain initial access to the targeted organizations’ network and distributes, among other things, the BabyShark malware, designed to exfiltrate data from the infected device. In the course of 2020, the group also used COVID-19 decoys to entice its victims into opening malicious attachments.
Link(s):
https://us-cert.cisa.gov/ncas/alerts/aa20-301a
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

 

Attack: The Japanese pharmaceutical firm Shionogi & Co., which is working on a vaccine against COVID-19, was targeted by a ransomware
Method: Data theft
Target: Shionogi & Co.
Publication date: 10/22/2020
Description: Cybercriminals published medical equipment import licenses and employee residency permits on Darkweb forums and threatened to release more if the Japanese firm does not pay the requested ransom. However, Shionogi & Co stated that no information on clinical trials has been compromised and that its operations in Japan have not been affected.
Link(s):
https://www.japantimes.co.jp/news/2020/10/23/business/corporate-business/japan-shionogi-cyberattack-data-breach/

 

Attack: Fraudulent e-mails claiming to provide COVID-19 screening results spread a new variant of the Hentai OniChan ransomware
Method: Phishing campaign
Target: General public
Publication date: 11/02/2020
Description: E-mails mimic healthcare institutions to trick their targets into opening a fraudulent PDF or HTML attachment containing the alleged result of their screening test. Once opened, it runs King Engine, a new variant of the Hentai OniChan ransomware, which exfilters the data and demands a ransom of more than $500,000 in Bitcoin.
Link(s):
https://cofense.com/coronavirus-test-results-return-data-exfiltrating-ransomware/

 

Frauds

Attack: Cybercriminals exploit the increased use of videoconferencing platforms during the COVID-19 pandemic to steal money from Zoom users
Method: Blackmail
Surface/Application: E-mails
Publication date: 10/28/2020
Description: The fraudulent e-mails claim to have gained access to their targets’ camera and data by exploiting a Zoom zero-day vulnerability to ask them to pay a Bitcoin ransom under the threat of divulging compromising images.
Link(s):
https://hotforsecurity.bitdefender.com/blog/covid-19-zoom-and-bedroom-lewdness-make-for-sly-sextortion-tactic-24436.html

 

Attack: Cybercriminals have taken over the website of U.S. President Donald J. Trump to request donations in cryptocurrency
Method: Disinformation/scam
Surface/Application: Donaldjtrump.com
Publication date: 10/28/2020
Description: For less than 30 minutes, cybercriminals were able to display a message suggesting that the U.S. government was involved in the creation of COVID-19 and calling for donations in Monero to support their cause. The website was quickly restored and the U.S. President’s campaign team stated that the website did not contain any sensitive data that could have been stolen.
Link(s):
https://arstechnica.com/tech-policy/2020/10/trumps-website-defaced-with-claim-that-trump-admin-created-coronavirus/

 

Useful resources

Type of resources: CovidTracker, a tool developed by a French data scientist to follow the evolution of the COVID-19 pandemic in France and at the international level
Target: General public
Publication date: Updated daily
Description: Launched in the spring, this platform combines data from the WHO, INSEE and Santé Publique France through different Dashboards to monitor the evolution of the virus at the international, national, regional or departmental level. These dashboards provide information on the number of deaths, positive cases, hospitalized patients and those in intensive care.
Link(s): https://covidtracker.fr/

 

Other News

Country: International
Subject: The cybercriminal group Maze has reportedly shut down its operations
Publication date: 10/29/2020
Description: According to BleepingComputer, the group operating the Maze ransomware have started to delete the stolen data displayed on their website. Nevertheless, BleepingComputer claims that several of its members have switched to a new ransomware operation called Egregor since September 2020. Active since May 2019, the group operating the Maze ransomware operation has notably targeted healthcare institutions since the beginning of the COVID-19 pandemic.
Link(s):
https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/

 

Country: European Union
Subject: Launch of the European interoperability gateway between contact tracing application
Publication date: 10/19/2020
Description: This platform allows contact tracing applications from European countries to operate outside their borders and interact with each other. The German, Irish, Italian, Danish, Latvian and Spanish applications were the first to be linked by this service. The remaining fourteen countries should be added in November. However, applications that are not based on a decentralized data storage model will not be able to benefit from this platform, such as TousAntiCovid in France.
Link(s):
https://ec.europa.eu/commission/presscorner/detail/en/ip_20_1904
https://www.brusselstimes.com/news/eu-affairs/136566/european-countries-contact-tracing-apps-commission-interoperability-gateway/

 

Country: United Kingdom
Subject: The UK contact tracing application did not alert all contact cases to COVID-19 due to a programming error
Publication date: 11/02/2020
Description: Present since September 2020, this error prevented the application to alert all contact cases to COVID-19 because alerts were only sent to those who had been in contact with a proven case for five times longer than originally planned. As a result, several thousand people were not instructed to isolate themselves. The error has since been corrected.
Link(s):
https://www.theguardian.com/world/2020/nov/02/fault-in-nhs-covid-app-meant-thousands-at-risk-did-not-quarantine