COVID-19: CYBERSECURITY WATCH #28 – January 21, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Threats

Attack: Confidential documents stolen from the European Medicines Agency (EMA) following a cyberattack were allegedly altered prior to their publication on the Internet
Method: Data theft
Target: European Medicines Agency (EMA)
Publication date: 01/15/2021
Description: The EMA confirmed the information reported by Cyble about the publication of confidential documents regarding the Pfizer/BioNTech vaccine on the darkweb. The Agency also stated that some documents had been altered to undermine public confidence in COVID-19 vaccines. Several European newspaper retrieved some of this data, which included e-mails exchanged between European officials.
Link(s):
https://www.ema.europa.eu/en/news/cyberattack-ema-update-5
https://www.dw.com/en/hackers-manipulated-stolen-covid-vaccine-papers-says-eu-agency/a-56244504

 

Attack: Cybercriminals impersonate the World Health Organization (WHO) to distribute the Agent Tesla malware
Method: Phishing campaigns
Target: U.S. Industries
Publication date: 01/14/2021
Description: Proofpoint revealed several phishing campaigns exploiting COVID-19 lures. One of them pretends to provide a safety report on new COVID-19 vaccines and encourages victims to open a malicious attachment containing an embedded executable file. Once run, the malware can be dropped and spread. Considered a Remote Access Trojan (RAT), Agent Tesla can then record keystrokes (as a keylogger) and recover passwords stored in the browser. Read our focus on Tesla Agent in a previous newsletter.
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/attackers-use-covid-19-vaccine-lures-spread-malware-phishing-and-bec

 

Frauds

Attack: Cybercriminals impersonate the U.K.’s National Health Service (NHS) to steal their victims’ banking data
Method: Smishing campaign
Surface/Application: Text messages
Publication date: 01/05/2021
Description: The fraudulent text messages claim that their victims are eligible for vaccination against COVID-19 and redirect them to a fake web page imitating the NHS and inviting them to fill in their personal information (name, address) as well as their bank details. The BBC reports that this fraudulent website has been taken down since then.
Link(s):
https://www.derbyshire.police.uk/news/derbyshire/news/news/forcewide/2021/january/circulating-fake-nhs-covid-19-vaccine-text-message/
https://www.bbc.com/news/uk-england-55560604

 

Attack: Cybercriminals claim that their victims are eligible for a tax refund due to COVID-19 to steal their bank details
Method: Smishing campaign
Surface/Application: Text messages
Publication date: 01/12/2021
Description: The fraudulent text messages sent to British citizens claim that they are entitled to a tax refund of up to 230 pounds due to the new lockdown in the U.K. The victims are then redirected to a fake web page where they are asked to provide their bank details. 
Link(s):
https://www.tradingstandards.uk/news-policy/news-room/2021/phoney-covid-19-lockdown-rebate-targeting-public

 

Attack: Professor Didier Raoult’s identity has been usurped on Facebook through a fake official page publishing tendentious messages
Method: Identity Theft
Surface/Application: Facebook
Publication date: 01/15/2021
Description: Some ill-intentioned people have taken advantage of his media coverage to create a fake official Facebook page and to convey, among others, conspiratorial anti-vaccine messages. The “official Didier Raoult” page has been created at the beginning of the pandemic and had 50,000 subscribers before being closed by Facebook on 14 January following a denial by the professor himself.
Link(s):
https://www.numerama.com/politique/682191-anti-vaccin-et-extreme-droite-la-page-facebook-didier-raoult-officiel-etait-une-fausse.html

 

Attack: Cybercriminals exploit COVID-19 to steal U.S. employees’ personal information and login credentials
Method: Phishing campaign
Surface/Application: E-mails
Publication date: 01/12/2021
Description: The fraudulent e-mails impersonate U.S. companies and claim their employees are required to fill out a form as part of a COVID-19 screening protocol supposedly put in place by the U.S. Department of Health and Human Services (HHS). Victims are asked to fill in their personal information, company login credentials and provide an electronic signature.
Link(s):
https://cofense.com/blog/coronavirus-screening-testing

 

Useful resources

Type of resources: CovidTracker platform adds VaccinTracker, a monitoring tool to follow the vaccination campaign in France
Target: General public in France
Publication date: 01/08/2021
Description: This tool allows to follow the progress of the vaccination campaign against COVID-19 in France, at the national and regional levels. It is based on public data relating to people vaccinated against COVID-19, which is freely accessible on the data.gouv.fr website.
Link(s):
https://covidtracker.fr/vaccintracker/
https://www.data.gouv.fr/fr/datasets/donnees-relatives-aux-personnes-vaccinees-contre-la-covid-19/

 

Type of resources: Google Maps allows its users to locate COVID-19 testing centers
Target: General public in France
Publication date: 01/08/2021
Description: Google Maps uses data from the French Ministry of Health to enable Internet users to easily locate a testing center. This information will be updated as the authorities reference the centers. In addition, the application is currently unable to specify which type of test is performed in those centers (PCR or antigenic).
Link(s): https://support.google.com/maps/answer/9795160    

 

Type of resources: Appointment scheduling for the COVID-19 vaccine will be done on the online platforms Doctolib, Maiia and KelDoc
Target: Patients over 75 years of age, firefighters and orderlies over 50 years of age in France
Publication date: 01/11/2020
Description: The government has designated Doctolib, Maiia and KelDoc as online appointment scheduling tools. As such, Doctolib has developed a management software specially adapted to vaccination centers, allowing to make appointments for both injections simultaneously and respecting health deadlines. Thus, all the concerned vaccination centers should be referenced on the platforms before January 14, 2021, the beginning of the vaccination campaign’s extension.
Link(s):
https://www.sante.fr/centres-vaccination-covid.html https://f.hubspotusercontent30.net/hubfs/5479688/B2B%20-%20Press/210111%20-%20CP%20Vaccination%20Doctolib%20(1).pdf
https://www.cegedim.fr/Communique/Maiia-VaccinationAnti-covid19_11012021.pdf

 

Other News

Country: International
Subject: COVID-19 contact cases were not alerted in time due to a bug in the exposure notifications on Android versions of the contact tracing applications
Publication date: 01/13/2021
Description: The Verge reports that contact-tracing applications using the Android exposure notification system were no longer able to alert people who had been in contact with a known case of COVID-19. According to Google, no potential contact data was lost and a fix is being deployed. 
Link(s):
https://www.theverge.com/2021/1/13/22228594/google-coronavirus-tracking-app-exposure-notifications-issues-problems
https://www.brusselstimes.com/news/belgium-all-news/149074/problem-with-coronalert-tracing-app-no-longer-notifies-users-after-high-risk-contact-belgium-european-countries-update/

 

Country: United Kingdom
Subject: The COVID-19 immunity and vaccination passport developed by the British companies Mvine and iProov enters into trial phase
Publication date: 01/13/2021
Description: In a joint press release, the two companies stated that the passport will enable to register and certify a person’s test result or vaccination status while maintaining anonymity. Public health managers within the National Health Service (NHS) will test it for local areas deployment. In addition, the passport can be plugged to NHS infrastructures, allowing it to meet the local directors’ specific needs. Testing will run until March 31, 2021.
Link(s):
https://www.afp.com/en/news/1314/covid-19-passport-iproov-and-mvine-moves-trial-phase-202101120061241

 

Country: India
Subject: Laboratories reports that include COVID-19 test results from thousands of patients accidentally exposed on the Internet
Publication date: 01/05/2021
Description: BleepingComputer found that these reports indexed on Google have been hosted on “.gov.in” and “.nic.in” domains owned by Indian government agencies. Indeed, laboratories are required to report test results to designated government agencies via a web portal. However, it is likely the PDFs were hosted on the same CMS used to publish publicly accessible documents. After its discovery, BleepingComputer quickly alerted the concerned authorities.
Link(s):
https://www.bleepingcomputer.com/news/security/indian-government-sites-leaking-patient-covid-19-test-results/