COVID-19: CYBERSECURITY WATCH #26 – December 17, 2020

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the Zebrocy malware

Attack: Cybercriminals exploit COVID-19 vaccines lures to deliver the Zebrocy malware in its Go version
Method: Spear-phishing campaigns
Target: Governments and commercial organizations involved in foreign affairs
Publication date: 12/09/2020
Link(s):
https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/

Description

The Sofacy attacker group, also known as Sednit, APT28, Fancy Bear or STRONTIUM, is taking advantage of the COVID-19 vaccine-related announcements to spread the re-release of the Zebrocy malware.

Zebrocy has been used for the first time in 2015. It can retrieve all kinds of information about the infected host and send it to a command and control server.

This malware has never really evolved. Indeed, its developers have chosen to duplicate the malware in different languages rather than to upgrade its features.

Modus operandi

Today, a Go version of the malware is distributed through spear-phishing (phishing combined with social engineering).

Thus, victims receive an e-mail with a virtual hard drive attachment forcing them to use Windows 10 to access it. Once opened, the victim can see that it contains a PDF file as well as a file that appears to be a Word file.

The PDF file is a legitimate presentation of Sinopharm International Corporation, a Chinese pharmaceutical manufacturer. It is one of the clinics in the race to develop a COVID-19 vaccine.

The second file is an executable masquerading as a Microsoft Word document. On November 30, only nine of the seventy antivirus engines have been listed on the VirusTotal website detect it. This malware retrieves the host name and path to the user’s TEMP folder to generate a unique identifier. It also takes screenshots. Everything is then sent to a command and control server. If the latter responds, the malware is then written to the disk and starts running to retrieve a lot of information, such as running processes, information on the local disk or system information.

Recommendations 

Phishing attacks are still effective despite being used for a long time. Employers should ensure that their employees are trained to detect and respond to phishing attempts.

To this end, training sessions with simulated phishing scenarios can be set up. In order to make these awareness campaigns more effective and realistic, companies need to keep up to date with current phishing trends. In addition, anti-spam filters can be deployed to limit the number of phishing emails received.

Indicators of Compromise (IOCs) are listed in the Intezer article above cited. 

 

Threats

Attack: North Korean cybercriminals have reportedly targeted several organizations involved in the development of COVID-19 vaccines to steal confidential information
Method: Phishing/spear-phishing campaigns
Target: Johnson & Johnson, Novavax, AstraZeneca, Genexine, Shin Poong Pharmaceutical, Celltrion, Boryung Pharma, Beth Israel Deaconess Medical Center, University of Tuebingen
Publication date: 12/02/2020
Description: This campaign is believed to have started in September 2020 and relies on fraudulent websites designed to steal login credentials of employees working in the targeted organizations. The attack against AstraZeneca, reported in a previous newsletter, is also reported to be part of this broader operation, which echoes Microsoft’s alert issued on November 13. So far, there is no evidence to determine whether these attacks have been successful.
Link(s):
https://www.reuters.com/article/healthcoronarivus-north-korea-cyber/north-korea-linked-hackers-targetd-jj-novavax-in-hunt-for-covid-research-idUSL8N2IH4KJ 
https://www.wsj.com/articles/north-korean-hackers-are-said-to-have-targeted-companies-working-on-covid-19-vaccines-11606895026 

 

Attack: Cybercriminals target cold chain organizations involved in the storage and transport of COVID-19 vaccines to steal credentials
Method: Spear-phishing campaig
Target: European and worldwide administrative entities, energy and IT sectors
Publication date: 12/03/2020
Description: Cybercriminals have impersonated a company executive of Haier Biomedical, a Chinese company that is a member of the Cold Chain Equipment Optimization Platform program (CCEOP), to send by e-mail fake requests for CCEOP participation quotations. Victims have been encouraged to open the e-mail containing malicious HTML attachments and to enter their login information. IBM’s analysis does not indicate whether the campaign was successful, but such information could provide cybercriminals a wider access to vaccine transport logistics.
Link(s):
https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/
https://us-cert.cisa.gov/ncas/current-activity/2020/12/03/ibm-releases-report-cyber-actors-targeting-covid-19-vaccine-supply

 

Attack: A cyberattack on the European Medicines Agency (EMA) allowed cybercriminals to access regulatory documents on the Pfizer/BioNTech vaccine
Method: Currently unknown
Target: The European medical agency servers
Publication date: 12/09/2020
Description: The EMA stated that the cybercriminals only accessed a limited number of documents and that its activities related to vaccine approval in the European Union had not been affected. The German firm BioNTech said that its information system and that of the U.S. laboratory Pfizer were not compromised by the attack, since the documents in question were stored on the EMA servers.
Link(s):
https://www.ema.europa.eu/en/news/cyberattack-ema-update-1 https://www.bbc.com/news/technology-55249353  

 

Attack: Cybercriminals mimic French government text message encouraging people to download the contact tracing application TousAntiCovid to distribute the Alien malware
Method: Phishing campaign
Target: General public in France
Publication date: 12/04/2020
Description: This text message is an exact copy of the official message, except that it contains a Bitly link to a fraudulent web page. The latter accurately mimics the official site to convince its victims to download an APK file that installs a malicious application on their phone. This is the Alien Trojan Horse, which allows cybercriminals to steal other applications’ credentials and record all the phone’s actions before sending the information to a central server. The fraudulent website has since been shut down.
Link(s):
https://cyberguerre.numerama.com/9188-des-hackers-imitent-le-sms-tousanticovid-du-gouvernement-pour-diffuser-un-dangereux-malware.html
https://www.leparisien.fr/high-tech/tousanticovid-alerte-aux-faux-sms-officiels-qui-installent-un-virus-devastateur-04-12-2020-8412449.php 

 

Frauds

Attack: Cybercriminals exploit COVID-19 vaccination as a lure to steal credentials
Method: Phishing campaign
Surface/Application: E-mails
Publication date: 12/09/2020
Description: Cybercriminals are relying on the high demand for vaccination and the gradual depletion of stocks across the world to provide an easy vaccine distribution to their victims. Victims are encouraged to click on a fraudulent link leading to a fake login page, then create a personal account, and enter their credentials.
Link(s):
https://blog.knowbe4.com/theyre-here-covid-19-vaccine-phishes-finally-arrive

 

Attack: Fake COVID-19 vaccines sold on the darknet
Method: Scam
Surface/Application: Darknet
Publication date: 12/04/2020
Description: These fake vaccines, sold for 1,300 dollars a piece, are supposed to be developed by Pfizer and BioNTech. It is also indicated that payment can be made in Bitcoin and deliveries are international. Although the announcement of the first vaccinations around the world is causing a craze, Europol issued a warning notification reminding the importance of being vigilant against cybercriminals who exploit this issue through phishing and disinformation campaigns.
Link(s):
https://www.vice.com/en/article/akdkkg/darknet-drug-dealers-are-now-selling-pfizer-covid-vaccines
https://blog.checkpoint.com/2020/12/11/covid-19-vaccines-touted-for-just-250-on-darknet/
https://www.europol.europa.eu/publications-documents/early-warning-notification-vaccine-related-crime-during-covid-19-pandemic

 

Attack: Cybercriminals claim to provide financial assistance during the COVID-19 pandemic to steal American citizens’ personal information
Method: Phishing campaign
Surface/Application: E-mails
Publication date: 12/03/2020
Description: The fraudulent e-mails redirect to a Web page imitating a U.S. federal government website that offers to fill out a form to apply for a $5,800 grant distributed during the COVID-19 pandemic. Victims are asked to fill it out using personal information (social security number, address, date of birth, etc.) that could be exploited by cybercriminals to steal their identity and carry out new attacks.
Link(s):
https://cofense.com/emergency-financial-aid-phish/

 

Useful resources

 

Type of resources: Interactive quiz to spot scam messages and raise public awareness
Target: General public
Publication date: June 2020
Description: In reaction to the increase of cybercriminal activities exploiting the COVID-19 pandemic to steal personal or confidential information, the Australian Cyber security Centre (ACSC) has created a quiz to practice detecting fraudulent messages and phishing campaigns. It proposes four use cases, including one using COVID-19 lures.
Link(s):
https://www.cyber.gov.au/acsc/view-all-content/programs/stay-smart-online/scam-messages

 

Type of resources: Lists of domain and subdomain names with the word COVID registered since the beginning of the pandemic
Target: Cybersecurity professionals
Publication date: 12/07/2020
Description: The ethical hacker SaxX has published on Github a list of nearly 500,000 domain and subdomains names registered worldwide since the beginning of the pandemic, including nearly 4,000 in France. Among these domain names, some of them are meant to be used in phishing campaigns.
Link(s):
https://gist.github.com/S42X/6a74730a16d4b6169b9998925b640956

 

Other News

Country: Brazil
Subject: The Brazilian Ministry of Health database exposed online
Publication date: 12/03/2020
Description: During six months, the data of 243 million Brazilians have been exposed because the password of the government web portal “e-SUS Notifica” was stored in the source code. Those data include personal information such as names, addresses and medical records. Journalists stated that the password has been encoded in Base-64 and has been easily accessible. Login information have finally been removed from the site’s source code.
Link(s):
https://www.zdnet.com/article/data-of-243-million-brazilians-exposed-online-via-website-source-code/

 

Country: International
Subject: Facebook strengthens its efforts to counter disinformation about COVID-19 vaccines
Publication date: 12/03/2020
Description: On its page dedicated to countering disinformation about COVID-19, the firm announced that it will begin to remove content with false information about COVID-19 vaccines from Facebook and Instagram social networks. This includes disinformation about their safety and effectiveness and the circulation of conspiracy theories. Facebook said it would also continue to update its information center on COVID-19.
Link(s):
https://about.fb.com/news/2020/12/coronavirus/#removing-covid-vaccine-misinformation
https://www.facebook.com/coronavirus_info/

 

Country: France
Subject: PredictEst, a solution based on artificial intelligence and epidemiological modeling able to predict the epidemic progression
Publication date: 12/04/2020
Description: The Grand Est Region, the Eurometropolis of Strasbourg, the IHU of Strasbourg and PRIeSM (Regional Platform for Innovation in Shared e-Health) have jointly developed a digital steering solution for unlockdown on a regional scale. Enriched with official statistical data, PredictEst enables the prediction of potential rebounds of the pandemic and the anticipation of the emergence of clusters using indicators such as the volume of screening tests carried out. 
Link(s):
https://www.ticsante.com/story/5461/covid-19-lancement-de-l-outil-predictest-pour-la-modelisation-et-l-aide-a-la-decision-dans-le-grand-est.html
https://www.grandest.fr/predictest-un-outil-pour-predire-levolution-de-lepidemie/

 

Country: France
Subject: The French Data Protection Authority (CNIL) authorizes the first three Health Data Hub projects to access the medical data needed for their launch
Publication date: 11/27/2020
Description: CoviSAS will use health insurance data to identify combinations of pathologies leading to the development of a severe form of COVID-19 among patients suffering from sleep apnea. Frog Covid aims to identify the factors leading to the development of a severe form of the disease in order to define profiles of high-risk patients. Finally, CoData will study the impact the pandemic will have on the treatment of breast cancer patients.
Link(s):
https://www.health-data-hub.fr/actualites/lutte-contre-la-covid-19-3-projets-soutenus-par-le-hdh-vont-pouvoir-debuter

 

Country: France
Subject: Evolution of distance and contact duration criteria in the TousAntiCovid contact tracing application
Publication date: 11/28/2020
Description: Until now, the application used to consider as contact cases people who stayed more than 15 minutes within 1 meter of another person who has been tested COVID-19 positive. From now on, TousAntiCovid will take into account contacts made for 5 minutes within 1 meter and 15 minutes between 1 and 2 meters. These changes will allow the application to take into account more risk situations.
Link(s):
https://www.legifrance.gouv.fr/download/pdf?id=crCV8B7_S7hCRhA-RAHdv8-iqmYsnm7jq9JvNFwPQos=

 

Country: Canada 
Subject: Some COVID-19 contact cases were not alerted due to a glitch in the federal contact tracing application COVID Alert : CoviSAS, Frog Covid et CoData
Publication date: 04/12/2020
Description: This glitch affected the exposure checks that the central server automatically conducts with the users’ smartphones several times a day to see if they have been in contact with known cases of COVID-19. These checks did not work between November 9 and November 23 for an undetermined number of users. A corrective update has since been deployed.
Link(s):
https://www.cbc.ca/news/technology/covid-app-alert-vulnerability-1.5826808