COVID-19: CYBERSECURITY WATCH #24 – November 19, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on “FakeUpdates” campaigns deployment 

Attack: Several malware distribution campaigns masquerading as fake updates, especially the Microsoft Teams tool
Method: Malicious online advertisements
Target: Microsoft Teams users
Publication date: 11/09/2020


The COVID-19 pandemic has led to an increase in the use of videoconferencing tools that cybercriminals know to exploit.

Since 2019, there has been a significant increase of fake updates lures. These pieces of malware often led to the dropping of ransomware such as DoppelPaymer and WastedLocker in order to steal money.

Nowadays, these attackers are no longer aiming solely at financial gain and continue to use the technique of false updates with increasingly varied objectives.

Modus operandi

Recently, an attackers group purchased online advertisements to distribute a fake update of the Microsoft Teams collaboration tool. After clicking on the link, the victim is prompted to download a piece of malware that simultaneously installs the legitimate Microsoft Teams program on his computer, so that he does not suspect anything.

Behind the detection of this campaign, Microsoft reports that those attacker activities are growing increasingly varied. They use basic software for stealing sensitive information (passwords, payment cards, etc.), ransomware but also more elaborate programs such as the Cobalt Strike attack framework. The latter allow attackers to perform lateral movements that open the door to in-depth attacks within information systems.

Finally, these diversified means lead to damages of varying degrees, allow attackers to permanently compromise organizations (industrial espionage, destruction, etc.) but are still followed by ransomware. It shows that this method is unfortunately still among the most profitable.


Microsoft recommends the usual protection methods, such as the use of a web browsers that can filter and block malicious websites (hosting malware, scams, etc.), as well as applying the best practices that can be found in the French National Cybersecurity Agency (ANSSI) computer security hygiene guide: limiting administrative rights on workstations, imposing high complexity for administration passwords, etc.

Some others protections can be put in place, especially from cloud technologies: heuristic blocking of executables that have never been seen or do not have a good reputation.

Finally, blocking executables downloading from JavaScript and VBScript code can also be an effective additional protection.



Attack: Cybercriminals exploit the U.S. election results uncertainties to deliver the banking Trojan QBot
Method: Malspam Campaign
Target: U.S. voters
Publication date: 11/04/2020
Description: In the midst of the COVID-19 pandemic, an increase in absentee voting has been noticed during these elections. Cybercriminals took advantage of voters’ doubts about the voting process to deliver malicious zip attachments spread QBot. Victims were encouraged to open an Excel file named “Electoral Interference” to give their opinions. Once enabled and approved, the fraudulent DocuSign file downloads a malicious payload onto the machine to steal data and retrieve e-mails addresses that will later be used as part of others malspam campaigns.


Attack: Cybercriminals threaten their targets with false claims of employment termination to install the Bazaar and Buer loaders
Method: Spear-phishing campaign
Target: Private sector employees
Publication date: 11/09/2020
Description: The fraudulent e-mails impersonate managers within the targeted companies to trick their victims into believing they have been laid off due to the financial impact of the COVID-19 pandemic. They are then encouraged to access a web page that invites them to download a document. When done, the Buer or Bazaar loaders are installed on the targeted device, allowing cybercriminals to deploy additional malware and exfiltrate sensitive data.


Attack: Pharmaceutical firm Miltenyi Biotec hit by Mount Locker ransomware
Method: Data disclosure and IT systems paralysis
Target: Miltenyi Biotec’s information systems
Publication date: 11/13/2020
Description: Involved in the search for a vaccine against COVID-19, Miltenyi Biotec announced it fell victim to a ransomware affecting its computer system and its order processing last month. After claiming the attack, the group behind the ransomware have leaked 5% of the 150 GB of stolen data on their data leak website. The biomedical research company did not indicate the amount of the ransom but announced that it had taken all the necessary measures since then.


Attack: The Australian Cybersecurity Centre (ACSC) warns of rising cybercrime activity targeting the healthcare sector and distributing the Remote Access Tool (RAT) SDBBot
Method: Currently unknown
Target: Healthcare entities in Australia
Publication date: 11/12/2020
Description: Once installed on the victim’s device, SDBBot allows cybercriminals to move laterally within the infected system to exfiltrate sensitive or confidential data to a command and control (C2) server. It is also used to deliver other malware or ransomware such as Clop. SDBBot is mainly operated by the cybercriminal group TA505, whose motives have been essentially lucrative as of yet.


Attack: Microsoft accuses Russian and North Korean cybercriminals of targeting pharmaceutical companies involved in the search for a vaccine against COVID-19
Method: Brute force/Phishing/Spear-phishing
Target: Pharmaceuticals companies in France, India, South Korea, Canada and the United States
Publication date: 11/13/2020
Description: According to Microsoft, three groups of cybercriminals recently targeted seven firms: the North Koreans Cerium and Zinc (also called Lazarus) and the Russian group Strontium (also called Fancy Bear). In order to obtain login credentials of the targeted organizations, Strontium reportedly conducts brute force attacks when the North Korean groups carry out phishing and spear-phishing campaigns exploiting, among other things, COVID-19-themed lures.



Attack: In the United Stated, cybercriminals claim to be distributing new financial aid during the COVID-19 pandemic to steal information from their victims
Method: Phishing campaign
Surface/Application: Text message
Publication date: 11/04/2020
Description: In a press release, the Internal Revenue Service (IRS) and state tax agencies urged taxpayers receiving financial assistance from the IRS to be wary of new phishing campaigns. Cybercriminals are exploiting this financial assistance to encourage victims to make a payment on a fraudulent website that impersonates the one. Finally, the IRS has also reiterated that it does not send unsolicited text messages or e-mails.


Attack: The British government collaborates with Social Medias to counter disinformation about COVID-19 vaccines
Method: Disinformation
Surface/Application: Social Media
Publication date: 11/08/2020
Description: Under this agreement, Twitter, Google and Facebook have committed to address contents reported by the government more quickly and to prevent further diffusion. They also agreed to work more closely with public health agencies to promote factual information about the safety and quality of vaccines in development.


Other News

Country: France
Subject:  “Raw” results number underestimated due to a failure in the reporting of COVID-19 screening test data
Publication date: 11/05/2020
Description: More than 300,000 tests, positive or negative, could not be transmitted to Santé Publique France (SPN) during a daily count. These counts, which are carried out every Wednesday, did not show the right figures for the weeks of October 19 and 26, 2020 due to technical problems related to the volume of tests. All the results would have been found and integrated into the system during the 2nd week. SPN finally reported a minimal and unconsolidated positive case figure.


Country: France
Subject: At a Senate hearing, Guillaume Poupard, Director General of the French National Cybersecurity Agency (ANSSI), gave an overview on the IT threat landscape in France
Publication date: 11/04/2020
Description: Among the topics discussed, Mr. Poupard stated that the COVID-19 pandemic did not have a significant impact on the increase of IT security threats. According to him, we mainly observed opportunist activities of small online scammers that temporarily switched to the exploitation of COVID-19-themed lures. However, he pointed out that the widespread use of teleworking increased the risk of breaches in information systems.


Country: Spain
Subject: A vulnerability in the Radar COVID contact tracing application could lead to the identification of COVID-19 positive users
Publication date: 11/13/2020
Description: This vulnerability has been caused by the fact that connections from the application to the server are only made by COVID-19 positive users. As a result, a third party capable of monitoring the traffic between the application and the server (VPN, ISP, mobile operator) or any observer with access to the same network (public Wi-Fi for example) could identify them. This vulnerability has since been corrected by injecting dummy traffic generated by all users of the application.


Country: United States
Subject: The Federal Trade Commission (FTC) requires enhancements to Zoom videoconferencing application following charges of poor security
Publication date: 11/09/2020
Description: The FTC announced that a settlement with Zoom requires the company to implement a more robust information security program. The agreement comes after a complaint by the Commission stating, among other things, that Zoom misled its users by claiming to use 256-bit AES encryption to secure video calls and communications. As a result, Zoom has been forced to establish a more comprehensive security program to protect its customer’s base.


Country: United States
Subject: Delaware Division of Public Health announced that COVID-19 test results of several thousand patients has been leaked
Publication date: 11/15/2020
Description: The leak originated from a temporary staff member who mistakenly sent e-mails containing the test results of nearly 10,000 people to an unauthorized person. The latter immediately notified the health agency and claimed to have deleted all e-mails and attachments that contained the patients’ names, dates of birth and phone numbers.


Country: Philippines
Subject: Two vulnerabilities discovered on a platform used by frontline healthcare workers to identify cases of COVID-19
Publication date: 11/10/2020
Description: Last August, Citizenlab researchers uncovered two vulnerabilities in the COVID-KAYA platform’s Web and Android applications. The vulnerability in the Web application allowed the names and locations of healthcare providers to be exposed. The vulnerability on the Android application, which included a hardcoded credential, allowed access to its internal APIs Patches have been implemented and the application has been updated on October 27.