COVID-19: CYBERSECURITY WATCH #27 – January 8, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on wAgent and Bookcode malwares used by the Lazarus group

Attack: Kaspersky identifies Lazarus as one of the groups that carried cyberattacks on pharmaceutical companies involved in the development of vaccines against COVID-19
Method: Currently unknown
Target: A government health ministry and an undisclosed pharmaceutical company
Publication date: 12/23/2020
Link(s):
https://securelist.com/lazarus-covets-covid-19-related-intelligence/

Description

While the vaccination campaign against COVID-19 has begun around the world, cyberattacks are now targeting pharmaceutical companies and health-related government entities. All of this in an effort to access the results of scientific research on the development of the various vaccines against COVID-19. Securelist.com reports two cyberattacks against a government health ministry and a pharmaceutical company involved in COVID-19 research.

Although the cyberattacks use different tactics, techniques and procedures (TTPs), researchers have found connections between both attacks and some evidence seem to point at the Lazarus cybercriminals group. In recent years, several cyberattacks have been attributed to cybercriminals group, which seems to be located in North Korea. The U.S. Federal Bureau of Investigation (FBI) states that the Lazarus group is a North Korean “state-sponsored hacking organization”.

The attribution of these attacks to Lazarus also appears to be consistent with information reported by Reuters and relayed in our previous newsletter, according to which North Korean cybercrime groups are behind cyberattack campaigns targeting organizations involved in the development of vaccines against COVID-19.

Modus operandi

To date, the infection vector used by cybercriminals to infiltrate the health ministry in charge of the fight against COVID-19 is still unknown. However, the malware that has been deployed is known as wAgent. This malware masquerades as common and legitimate software such as XZ Utils, a data compression utility. wAgent is not detected by protection solutions when it is temporarily stored on its victim’s hard drive because the payloads used to compromise its victims are encrypted by default and then decrypted only in memory at runtime.

Once the payload is decrypted in memory, contact is established with the command and control (C2) servers to allow cybercriminals to execute commands on the victim’s machine. It has been found that this malware uses the registry to establish persistence on the system. In the end, the wAgent malware targets the native Windows process called “svchost.exe” and performs a DLL injection attack on this process to operate undisturbed.

The analysis of the cyberattack against the pharmaceutical company also failed to identify the initial infection vector. However, in this case, the Bookcode malware has been distributed. In the past, this malware has already been used several times and with different infection vectors such as: spear-phishing, compromising the supply chain or even some strategic websites (especially in South Korea). The modus operandi of the “Bookcode” malware is similar to that of wAgent explained above.

Recommendations 

Even though the infection vector was not clearly identified, Lazarus has been known to distribute malware through spear-phishing campaigns. Phishing attacks are still effective despite being a common and long-standing infection vector. Consequently, employers should ensure that their employees are trained and alerted in detecting and responding to phishing attempts.

Attacks using the supply chain as a vector of infection are increasingly prevalent throughout the world as evidenced by the recent SolarWinds breach. In light of this, it is also recommended to carefully monitor the integrity of the updates provided by software publishers.

The Indicators of Compromise (IoCs) are listed in the Securelist article cited above.

 

Threats

Attack: A ransomware cyberattack targets a private laboratory involved in the COVID-19 testing campaign in Belgium
Method: Currently unknown
Target: Algemeen Medisch Laboratorium (AML) in Antwerp
Publication date: 12/29/2020
Description: Cybercriminals have managed to block access to the laboratory’s website and demand a ransom to restore it. As a precautionary measure, the affected network was disconnected and an investigation was launched to identify the extent of the compromise. However, the laboratory’s IT manager has stated that there is no evidence indicating that their patients’ personal and medical data has been stolen. 
Link(s):
https://www.brusselstimes.com/news/belgium-all-news/147433/antwerp-laboratory-becomes-latest-victim-of-cyber-attack/
https://sonicgenetics.be/

 

Attack: Fareva, a French pharmaceutical subcontractor in charge of producing a vaccine against COVID-19 has been targeted by a cyberattack
Method: Currently unknown
Target: Fareva’s data center (Savigny-le-Temple)
Publication date: 12/19/2020
Description: Fareva’s IT teams quickly detected the cyberattack and deliberately shut down the ERP, the central system in charge of managing information systems, ceasing down fifteen factories. As a result, the production process such as drug traceability and batch sterilization processes were also suspended because the machines were all connected to the central system. According to Fareva’s CEO, only 0.5% of the systems were compromised.
Link(s):
https://www.lesechos.fr/industrie-services/pharmacie-sante/un-fabricant-francais-de-vaccins-anti-covid-grippe-par-une-cyberattaque-1275520
https://www.lanouvellerepublique.fr/amboise/le-groupe-pharmaceutique-fareva-serait-victime-d-une-cyber-attaque

 

Attack: The National Public Health Centre of Lithuania (NVSC) has been compromised by a cyberattack, leading to the distribution of the Emotet Trojan horse.
Method: Spear-phishing
Target: The National Public Health Centre of Lithuania (NVSC) and other state institutions
Publication date: 12/30/2020
Description: The malware has been distributed to various institutions through fraudulent e-mails sent by NVSC employees, which contained malicious attachments in ZIP format. In order to stop its spread, the NVSC’s e-mail server has been disabled, which could, among other things, disrupt the management of information about the COVID-19 pandemic’s evolution in the country. Read our Focus on Emotet featured in a previous newsletter.
Link(s):
https://www.lrt.lt/en/news-in-english/19/1309469/lithuania-s-public-health-body-comes-under-cyber-attack

 

Attack: Confidential data stolen from the European Medicines Agency (EMA) disclosed on the darkweb
Method: Data theft
Target: EMA’s confidential data
Publication date: 12/31/2020
Description: After the recent cyberattack on the EMA reported in a previous newsletter, Cyble researchers have found some confidential documents related to the Pfizer/BioNTech vaccine on a Russian darkweb forum. The data, accessible through download links, include assessment reports, confidential e-mails, identification information, and portal links. The profile from which the data was disclosed would have been created solely for this purpose.
Link(s):
https://cybleinc.com/2020/12/31/documents-relating-to-covid-19-vaccine-of-european-medicines-agency-allegedly-leaked-in-darkweb/

 

Frauds

Attack: Cybercriminals pretend to provide a financial aid distributed during the COVID-19 pandemic to steal personal information
Method: Phishing
Surface/Application: E-mails
Publication date: 12/21/2020
Description: The fraudulent e-mails impersonate the New York State Department of Labor to convince their targets to click on a link leading to a phishing page imitating an official website. Victims are then asked to fill out their personal information in a form to obtain a false financial assistance of $600. Once in possession of such information, cybercriminals could usurp their victims’ identity. 
Link(s):
https://abnormalsecurity.com/blog/covid-19-department-of-labor-phishing/

 

Attack: Cybercriminals impersonate New Jersey’s Center for Disease Control and Prevention (CDC) to steal personal information
Method: Phishing campaign
Surface/Application: E-mails
Publication date: 21/12/2020
Description: The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) has warned its citizens against active phishing campaigns using COVID-19 lures. In one campaign, cybercriminals prompt New Jersey state employees to click on a fraudulent link to confirm their vaccine use. Once the webpage is opened, victims are then invited to create a profile and fill out a form with their personal information.
Link(s):
https://www.cyber.nj.gov/alerts-advisories/malicious-cyber-activity-related-to-the-covid-19-vaccine

 

Attack: Fraudulent e-mails claim their targets are the winners of a COVID-19-themed lottery to steal personal information
Method: Phishing
Surface/Application: E-mails
Publication date: December 2020
Description: Cybercriminals claim the lottery is organized by Microsoft, Nokia and the World Health Organization (WHO) to promote a communication campaign about COVID-19. Victims are invited to contact a representative and provide their personal and banking information to obtain their alleged multi-million dollar prize.
Link(s):
https://hotforsecurity.bitdefender.com/blog/feeling-lucky-this-holiday-season-covid-19-google-and-microsoft-lotteries-are-out-for-your-info-and-money-24915.html  

 

Useful resources

Type of resources: WHO launches an application to provide information on the COVID-19 pandemic
Target: General public
Publication date: 12/20/2020
Description: The “WHO COVID-19 Updates” application provides the latest information on the COVID-19 pandemic and recommended hygiene behaviors. It provides local information and real-time notifications based on the users’ location, including information on the progress of vaccination campaigns. Only available for Nigeria initially, it should be progressively deployed worldwide.
Link(s):
https://www.who.int/emergencies/diseases/novel-coronavirus-2019/the-who-covid-19-app
https://play.google.com/store/apps/details?id=org.who.WHOMyHealth

 

Other News

Country: International
Subject: Atos collaborates with Eupry to offer a joint solution for monitoring compliance of COVID-19 vaccine supply
Publication date: 12/21/2020
Description: Danish start-up Eupry, specialized in automatic storage compliance, has developed connected data loggers to facilitate the supply chain process of vaccine transport (temperature, differential pressure, etc.). The automated solution combines Eupry’s data loggers and Atos’ expertise in automation and monitoring to secure, via a single platform, the COVID-19 vaccines’ supply chain.
Link(s):
https://atos.net/en/2020/press-release_2020_12_21/atos-partners-with-eupry-to-offer-a-compliance-monitoring-service-for-covid-19-vaccine-delivery

 

Country: France
Subject: The government authorizes the creation of a monitoring information system for COVID-19 vaccinations
Publication date: 12/25/2020
Description: The decree authorizing the implementation of the “Covid Vaccine Information System (SI)” treatment came into force on January 4, 2020, in order to supervise vaccination campaigns. Co-managed by the General Directorate of Health and Health Insurance, this automatic processing will especially allow for nationwide follow-up. In agreement with the French Data Protection Authorithy (CNIL), which gave its advice before its adoption, patient data will be pseudonymized and stored in the “Covid Vaccine” IS for 10 years.
Link(s):
https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000042739429
https://www.cnil.fr/fr/la-collecte-de-donnees-dans-le-cadre-de-la-vaccination-contre-la-covid-19-quelles-garanties-pour-les

 

Country: United States
Subject: Maryland Attorney’s Office seizes two fraudulent domain names impersonating pharmaceutical companies developing treatments for COVID-19
Publication date: 12/18/2020
Description: These two domain names mimicked the names, logos and graphics of Regeneron and Moderna and were used to steal the visitors’ personal information. Cybercriminals in possession of this information could have exploited it to conduct phishing campaigns, distribute malware and impersonate their victims.
Link(s):
https://www.justice.gov/usao-md/pr/maryland-us-attorney-s-office-seizes-two-domain-names-purporting-be-websites

 

Country: United States
Subject: The FBI and the Financial Crimes Enforcement Network (FinCEN) warn of fraud and cyberattacks related to the distribution of COVID-19 vaccines
Publication date: 12/21/2020 – 12/28/2020
Description: The FBI warns the public of the increasing number of frauds exploiting COVID-19 vaccines through phishing, vishing campaigns or the sale of fraudulent products. The FinCEN is calling on U.S. financial institutions to increase their vigilance to prevent these same frauds as well as ransomware attacks on pharmaceutical companies and the vaccines supply chain.
Link(s):
https://www.fbi.gov/news/pressrel/press-releases/federal-agencies-warn-of-emerging-fraud-schemes-related-to-covid-19-vaccines
https://www.fincen.gov/news/news-releases/fincen-asks-financial-institutions-stay-alert-covid-19-vaccine-related-scams-and

 

Country: Singapore
Subject: Singapore Airlines starts testing a digital health certificate to verify the authenticity of COVID-19 tests
Publication date: 12/23/2020
Description: Passengers flying from Jakarta or Kuala Lumpur to Singapore have tested this digital verification certificate. They can store and present their COVID-19 tests performed in selected clinics via a QR code. Before entering the territory, airport check-in staff can digitally certify their medical status and soon their vaccination status via a mobile application. The company has planned to integrate this certificate into its SingaporeAir mobile application starting in mid-2021.
Link(s):
https://www.singaporeair.com/en_UK/us/media-centre/press-release/article/?q=en_UK/2020/October-December/ne2420-201223

 

Country: Singapore
Subject: The Police force can use data collected by the TraceTogether contact tracing application in criminal investigations
Publication date: 01/04/2021
Description: The official website has been updated to confirm the possibility for the police to use the data collected by the application in criminal investigations. This measure is in line with the country’s Criminal Procedure Code (CPC), according to which police forces can access any document or data that can help advance investigations. However, on the same webpage, it is also stated that Bluetooth data from the application is deleted after 25 days.
Link(s):
https://www.tracetogether.gov.sg/common/privacystatement/
https://www.channelnewsasia.com/news/singapore/singapore-police-force-can-obtain-tracetogether-data-covid-19-13889914

 

Country: Philippines – Indonesia
Subject: A vulnerability discovered in StaySafe PH, the Filipino contact tracing application
Publication date: 12/21/2020
Description: The report from the Citizen Lab’s research highlights excessive permissions in the Indonesian (PeduliLindungi) and Filipino (StaySafe PH) contact tracing applications and exposes a vulnerability in the version deployed by Manila. The latter is located in the Firebase database used by StaySafe PH and allows a connected user to access its data (unique identifier, geolocation, medical status). By aggregating them, a third party could determine a user’s identity. After the Citizen Lab’s research informed the authorities, access to this database has been restricted.
Link(s):
https://citizenlab.ca/2020/12/unmasked-ii-an-analysis-of-indonesia-and-the-philippines-government-launched-covid-19-apps/