COVID-19: CYBERSECURITY WATCH #25 – December 3, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Threats

Attack: North Korean cybercriminals have reportedly targeted the British drugmaker AstraZeneca, which is involved in the development of a COVID-19 vaccine
Method: Spear-phishing campaign
Target: AstraZeneca laboratory
Publication date: 11/27/2020
Description: Two anonymous sources told Reuters that a significant number of the firm’s employees had been contacted on WhatsApp and LinkedIn by fake recruiters offering fraudulent job offers. They invited their targets to download a document that was supposed to provide information about the job offer. It actually contained a malicious payload designed to take control of the targeted devices.
Link(s):
https://www.reuters.com/article/us-healthcare-coronavirus-astrazeneca-no/exclusive-suspected-north-korean-hackers-targeted-covid-vaccine-maker-astrazeneca-sources-idUSKBN2871A2

 

Attack: Baltimore county Public schools have been targeted by a ransomware that paralyzed virtual learning platforms implemented during the COVID-19 pandemic
Method: Ransomware
Target: School IT systems
Publication date: 11/26/2020
Description: As school learning environments become increasingly virtual, several schools have been targeted by a ransomware. It caused a network interruption that prevented the 115,000 affected students from taking their virtual classes. Few details have been disclosed but some teachers at one affected school claimed that their files were encrypted with the .ryuk extension.
Link(s) :
https://www.govinfosecurity.com/ransomware-attack-targets-baltimore-county-public-schools-a-15467

 

Frauds

Attack: Cybercriminals sent fake invoices to French healthcare institutions to steal money
Method: Phishing campaign
Surface/Application: E-mails
Publication date: 11/24/2020
Description: Cybercriminals sent fake invoices for Office Pro 365 office suite to various healthcare facilities to encourage their victims to click on a fraudulent download link. To trick their victims, they claimed the invoices were for renewed purchases of Microsoft Office licenses. A message stating “payment within 14 days” urges victims to pay quickly via an IBAN corresponding to a bank account in Bulgaria.
Link(s):
https://www.cyberveille-sante.gouv.fr/index.php/cyberveille-sante/2215-factures-frauduleuses-concernant-des-licences-de-produits-microsoft-2020-11

 

Attack: A phishing campaign provides fake COVID-19 related information to steal professional login credentials
Method: Phishing campaign
Surface/Application: E-mails
Publication date: 11/19/2020
Description: Cybercriminals pose as Microsoft, claiming to be forwarding an update of the victims’ company medical leave policy. By usurping SharePoint notifications, cybercriminals trick victims into clicking on a fraudulent link that brings them to a fake Microsoft login page. Cybercriminals then redirect victims to a page containing COVID-19 documentation to ensure the latter do not suspect anything.
Link(s):
https://cofense.com/threat-actor-utilizes-covid-19-uncertainty-to-target-users/

 

Attack: Personal data of 16 million Brazilians COVID-19 patients exposed
Method: Data Leak
Surface/Application: Github
Publication date: 11/26/2020
Description: The leak came from an employee working at the Albert Einstein Hospital in Sao Paulo who uploaded a spreadsheet containing the identities, passwords and other sensitive data of 16 Brazilians COVID-19 patients on his personal Github account. This leak also includes credentials for two government databases, E-SUS-VE and Sivep-Gripe, which store information about COVID-19 patients and keep track of hospitalized cases. The spreadsheet was quickly removed once the leak was discovered.
Link(s):
https://www.zdnet.com/article/personal-data-of-16-million-brazilian-covid-19-patients-exposed-online/  

 

Attack: Cybercriminals impersonate U.S. government agencies claiming to provide financial assistance during the COVID-19 pandemic
Method: Phishing Campaigns/Personal Data Collection
Surface/Application: E-mails
Publication date: 11/24/2020
Description: A first campaign imitates the U.S. federal government and claims to provide $5,800 to convince its targets to fill out a form using their personal data. The information could then be exploited to impersonate them. A second campaign mimicks the unemployment assistance program to redirect victims to a fraudulent website where they are invited to log into their personal accounts. The collected login credentials could be exploited in credential stuffing campaigns.
Link(s):
https://www.bleepingcomputer.com/news/security/crooks-impersonate-us-govt-agencies-offering-financial-aid/

 

Useful resources

Type of resources: Google Cloud enhances its COVID-19’s pandemic forecasting platform and adds a “Japan” dashboard  
Target: General Public, public and private entities
Publication date: 11/17/2020
Description: Launched in August 2019 in partnership with the Harvard Global Health Institute, this platform relies on data from John Hopkins University and the COVID Tracking Project and uses artificial intelligence to create a projection of the pandemic in the United States. This new update introduces the ability to customize the projections, extend their duration to 28 days and adds an uncertainty index as well as a dedicated dashboard for Japan.
Link(s):
https://cloud.google.com/blog/products/ai-machine-learning/google-and-harvard-improve-covid-19-forecasts
https://datastudio.google.com/reporting/8224d512-a76e-4d38-91c1-935ba119eb8f/page/GfZpB

 

Type of resources: Harvard University’s Global Health Institute offers a new resource aiming to create a communication campaign on COVID-19
Target: Public administration/Health institutions
Publication date: 11/20/2020
Description: Created in collaboration with other universities and foundations, this platform offers many guidelines and recommendations to implement a communication and awareness campaign on COVID-19. It also offers a wide range of customizable infographics and messages, particularly suitable for social networks distribution.
Link(s):
https://globalhealth.harvard.edu/covid-19-testing-communications-and-community-engagement-toolkit/
https://www.covidtestingtoolkit.org/

 

Other News

Country: Germany
Subject: A security vulnerability has been found in infrastructure of the Corona-Warn-App (CWA) contact tracing application
Publication date: 11/19/2020
Description: Researchers at the GitHub Security Lab discovered a pre-authentication RCE security flaw, which allow remote execution of arbitrary code without authentication in the infrastructure supporting CWA for Android and iOS. However, the researchers noted that mobile applications were not affected. The SLG teams reported the security flaw to SAP, which developed the application, and a fix was implemented.
Link(s):
https://securitylab.github.com/research/securing-the-fight-against-covid19-through-oss

 

Country: International
Subject: Cisco fixes a Webex vulnerability that allowed a cybercriminal to infiltrate private meetings
Publication date: 11/18/2020
Description: This vulnerability is the result of a mismanagement of Cisco Webex Meetings and Cisco Webex Meetings Server authentication tokens. An attacker could join meetings without appearing in the attendee list and gain access to other features such as audio and screen sharing. Software updates and patches have been adressed by Cisco on the cloud-based Cisco Webex Meetings sites.
Link(s):
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r
https://securityintelligence.com/posts/ibm-works-with-cisco-exorcise-ghosts-webex-meetings/

 

Country: Australia
Subject: A new communication protocol for the COVIDSafe contact tracing application
Publication date: 11/29/2020
Description: The Australian application has undergone a series of improvements. Since its launch on April 26, 14 updates have been provided, the latest being the Bluetooth Herald protocol, developed in open source as part of the Linux Foundation Public Health initiative in July 2020. It is designed to improve Bluetooth communication between devices and thus, the detection of close contacts. It also aims to improve the application’s performances when run in the background, especially on iOS devices.
Link(s):
https://www.dta.gov.au/news/covidsafe-captures-close-contacts-new-herald-protocol

 

Country: International
Subject: Interpol alerts its member countries of the threat of organized crime on COVID-19 vaccines
Publication date: 12/02/2020
Description: As the development of several vaccines comes to an end, Interpol stresses the need for strong coordination among its members to counter criminal activities that will seize this opportunity to operate scams. The main risk lies in the sale of fake vaccines, both physically and over the Internet, especially when international travel will again be allowed and certificates of vaccination against COVID-19 are likely to be required.
Link(s):
https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-warns-of-organized-crime-threat-to-COVID-19-vaccines