COVID-19: CYBERSECURITY WATCH #29 – February 4, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the Babuk ransomware

Attack: A ransomware hit Serco Group, one of the companies managing the COVID-19 Test and Trace system in the U.K.
Method: Currently unknown
Target: Serco Group
Publication date: 01/31/2021
Link(s):
https://news.sky.com/story/covid-19-nhs-test-and-trace-unaffected-by-cyber-attack-at-serco-firm-says-12204747
https://blog.cyberint.com/babuk-locker
https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/

Description

Cybercriminals are taking advantage of the fear generated by the pandemic to spread malwares to their victims’ computers. In a recent incident, the Babuk ransomware targeted the British company Serco, which provides COVID-19 testing services, among other things. The attack was reported by Sky News, which discovered the incident after recovering a sample of the ransomware downloaded on VirusTotal.

However, Serco neither commented on the impact of the attack nor indicated whether it had paid the ransom demand. The firm only stated that its activities related to the management of the NHS Test and Trace system were not affected. According to cyber security firm Cyberint, the attack group would not target hospitals, schools or businesses with less than 4 million dollars in annual revenues.

Modus operandi

Although its code is considered amateurish, the Babuk ransomware uses strong encryption to encrypt network shares that prevent victims from recovering their files. This is based on the Elliptic curve Diffie – Hellman algorithm which is used correctly. 

Once launched, the ransomware stops various Windows services and processes known to keep files open and prevent encryption, such as e-mail, the backup process, database servers and web browsers. When encrypting files, Babuk uses a hard-coded extension that it adds to each encrypted file. The extension currently in use is “.__ NIST_K571__ . ».

Each encrypted folder contains a file called “How To Restore Your Files.txt”. It contains information about the attack and a link to a Tor website where the victim can contact the ransomware operators to negotiate the ransom. Attackers also ask their victims if they are covered by a cyberinsurance policy and if they are working with a ransomware recovery company.

Babuk operators also ask victims to transfer the file “% AppData% \ ecdh_pub_k.bin”, which contains the ECDH public key, allowing them to send decryption software with the private key associated with the victim.

The Indicators of Compromise (IoCs) associated with the Babuk ransomware are available at the end of the Cyberint blog post. 

 

THREATS

Attack: A cyberattack has hit the CHwapi hospital in Belgium, one of the logistics platforms for COVID-19 vaccines distributed in Wallonia
Method: Currently unknown
Target: CHwapi hospital in Tournai, Belgium
Publication date: 01/21/2021
Description: The attack led to the paralysis of some of the hospital’s services and the cancellation of about a hundred surgical operations. The CHwapi said that no patient’s personal data had been compromised, that the logistics circuit for COVID-19 vaccines had not been affected and that no ransom demand had been received. However, BleepingComputer has been contacted by the alleged attackers who claimed they encrypted 40 servers and 100 Tb of data using Windows BitLocker and that they left a ransom note.
Link(s):
https://www.bleepingcomputer.com/news/security/chwapi-hospital-hit-by-windows-bitlocker-encryption-cyberattack/

 

Attack: Cyberattacks targeted several research partners of the Institut Pasteur, which is involved in the development of a vaccine against COVID-19
Method: Currently unknown
Target: The French National Centre for Scientific Research (CNRS), the French National Institute of Health and Medical Research (Inserm) and several universities such as Paris-Descartes
Publication date: 01/27/2021
Description: Reported by the newspaper L’Express, this attack campaign would not have led to the exfiltration of data. In addition, the French National Cybercurity Agency (ANSSI) and the General Directorate for Internal Security (DGSI) were reportedly mobilized to conduct an in-depth investigation.
Link(s):
https://www.usine-digitale.fr/article/des-cyberattaques-ont-cible-l-institut-pasteur-qui-vient-d-abandonner-son-projet-de-vaccin-contre-le-covid-19.N1054079
https://lexpansion.lexpress.fr/actualite-economique/vaccin-contre-le-covid-19-l-institut-pasteur-vise-par-des-cyberattaques_2143208.html

 

Attack: The Gamarue.I malware was discovered on laptops distributed to underprivileged children during lockdown in the U.K.
Method: Currently unknown
Target: Computers distributed by the U.K. Department for Education (DfE)
Publication date: 01/21/2021
Description: According to sources quoted by The Guardian, the infection occurred shortly after the affected computers (Geo Geobooks 1E) were manufactured and the malware attempted to communicate with Russian servers while it was active. Gamarue.I is a worm capable of stealing information, altering the security settings of infected devices and propagating through removable drives.
Link(s):
https://www.theguardian.com/education/2021/jan/21/malware-reportedly-found-laptops-children-england

 

FRAUDS

Attack: Cybercriminals impersonate the U.K.’s National Health Service (NHS) to steal personal information from their victims
Method: Phishing campaigns
Surface/Application: E-mails
Publication date: 01/25/2021
Description: The fraudulent e-mails claim that their recipients are eligible for vaccination against COVID-19 to redirect them to a phishing website. The latter accurately mimics the NHS design and invites victims to provide their personal information (name, phone number, bank details, etc.). Once the forms have been filled in, the phishing page redirects the web browser to the official NHS website, which further strengthens this campaign’s believability.
Link(s):
https://www.bleepingcomputer.com/news/security/beware-of-this-active-uk-nhs-covid-19-vaccination-phishing-attack/
https://www.actionfraud.police.uk/alert/warning-criminals-continue-to-take-advantage-of-coronavirus-vaccine-roll-out-as-phishing-email-reports-soar

 

Attack: Fake vaccination cards are sold on eBay and TikTok
Method: Scam
Surface/Application: eBay and TikTok
Publication date: 01/29/2021
Description: The Better Business Bureau (BBB) advises British citizens not to share photos of their vaccination card on social medias. They contain sensitive personal information (date of birth, first and last name, and location of vaccination) and have already been duplicated to be sold on platforms such as eBay or TikTok.
Link(s):
https://www.bbb.org/article/news-releases/23675-bbb-tip-dont-share-your-vaccine-card-on-social-media

 

Attack: Data from millions of Dutch citizens contaminated by COVID-19 or having undergone a screening test sold on instant messaging applications
Method: Data theft
Surface/Application: Telegram, Snapchat and Wickr
Publication date: 01/25/2021
Description: Stolen data include addresses, phone numbers and the equivalent of the French social security number. They come from two national systems designed to store data on people who have taken a screening test (CoronIT) and proven cases of COVID-19 (HPzone Light). The Dutch police have arrested two employees working in the Municipal Medical and Health Service (GGD) call center and the HPzone Light data export function has been deactivated. 
Link(s):
https://securityaffairs.co/wordpress/113846/cyber-crime/covid-19-patient-data-sale.html
https://datanews.levif.be/ict/actualite/des-millions-de-donnees-privees-des-systemes-corona-neerlandais-mis-en-vente-en-ligne/article-news-1384615.html

 

Attack: Cybercriminals claim their victims are eligible for vaccination against COVID-19 to steal personal information of Brazilian citizens
Method: Phishing campaigns
Surface/Application: E-mails, WhatsApp
Publication date: 01/21/2021
Description: A Kasperky security researcher warns of several phishing campaigns exploiting COVID-19 vaccines lures. In one of them, fraudulent e-mails redirect recipients to malicious websites to steal their corporate login credentials. Another usurped the Brazilian Ministry of Health to trick victims into sending their WhatsApp login credentials in order to clone their accounts and attempt to extort money from their contacts.
Link(s):
https://twitter.com/assolini/status/1352708851804594181

 

Attack: Cybercriminals impersonate the Small Business Administration (SBA) to steal personal and banking data from U.S. business owners
Method: Phishing campaign
Surface/Application: E-mails
Publication date: 01/29/2021
Description: The fraudulent e-mails claim that their recipients are eligible for the extension of the financial assistance program introduced at the beginning of the COVID-19 pandemic to redirect them to a phishing web page. Victims are then asked to fill out a Microsoft Forms form with their personal and company information, which could be exploited by cybercriminals to carry out other malicious actions.
Link(s):
https://abnormalsecurity.com/blog/ppe-extended-coverage-phishing/
https://www.bleepingcomputer.com/news/security/phishing-campaign-lures-us-businesses-with-fake-ppp-loans/

 

USEFUL RESOURCES

Type of resources: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) launches an awareness campaign on ransomwares
Target: Public and private entities
Publication date: 01/21/2021
Description: This campaign focuses primarily on organizations involved in the COVID-19 response as well as K-12 educational institutions. Under this framework, CISA will communicate on social media regarding good practices to adopt in order to limit the risk of ransomwares. In addition, a single page has been created to gather useful resources such as alerts, guides, infographics and training modules.
Link(s):
https://www.cisa.gov/news/2021/01/21/cisa-launches-campaign-reduce-risk-ransomware
https://www.cisa.gov/ransomware

 

OTHER NEWS

Country: International
Subject: A coalition of health and IT industry leaders launches an initiative to standardize digital vaccination passports
Publication date: 01/14/2021
Description: The Vaccination Credentials Initiative (VCI) includes companies such as Mitre, Microsoft and Oracle and aims to create an internationally interoperable digital vaccination passport that can be easily accessed by individuals. VCI is based on the CommonPass application, which allows users to store their immunization data via a QR Code and on the SMART Health Cards framework, which adheres to the HL7 FHIR (Fast Healthcare Interoperability Resources) standards.
Link(s):
https://vaccinationcredential.org/news
https://www.theverge.com/2021/1/14/22231187/microsoft-salesforce-oracle-digital-vaccination-records

 

Country: International
Subject: The Emotet Trojan infrastructures were seized during an international operation coordinated by Europol
Publication date: 01/27/2021
Description: The German and Dutch police forces have replaced several of Emotet’s command and control (C2) servers with their own to intercept communications coming from infected devices. In doing so, the authorities were able to shut down the malware and can now obtain additional information on its operations. In addition, a trapped update of Emotet has been deployed so that it automatically uninstalls itself. This “self-destruction” is scheduled to be triggered on April 25, 2021. Read our Focus on Emotet featured in a previous newsletter.
Link(s):
https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action
https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation
https://www.bleepingcomputer.com/news/security/europol-emotet-malware-will-uninstall-itself-on-april-25th/

 

Country: International
Subject: An international coalition dismantles several resources of the Netwalker ransomware and arrests one of its alleged operators
Publication date: 01/27/2021
Description: An operation coordinated by the Federal Bureau of Investigation (FBI) led to the seizure of the Netwalker website that was used to publish the data stolen from the victims. In addition, a presumed operator of the ransomware was arrested and nearly 500,000 dollars in cryptocurrency corresponding to ransom payments were seized on January 10. Finally, the Bulgarian police dismantled a darkweb resource used to communicate with the victims. Read our Focus on Netwalker featured in a previous newsletter.
Link(s):
https://www.justice.gov/usao-mdfl/pr/department-justice-launches-global-action-against-netwalker-ransomware
https://threatpost.com/netwalker-ransomware-suspect-charged/163405/

 

Country: France
Subject: The French Data Protection Authority (CNIL) published a second report on its controls of the SI-DEP, Contact Covid databases and of the contact tracing application TousAntiCovid
Publication date: 01/21/2021
Description: The CNIL considers that the data processing put in place during the COVID-19 pandemic is essentially respectful of personal data. Nevertheless, it issued a formal notice to a Regional Health Agency (ARS) based on shortcomings regarding the security and storage duration of the data collected in the Contact Covid database used to trace infected persons and contact cases. At the same time, the CNIL also published a report on its activities since the beginning of the pandemic.
Link(s):
https://www.cnil.fr/fr/la-cnil-publie-son-deuxieme-avis-adresse-au-parlement-sur-les-conditions-de-mise-en-oeuvre-de-si-dep
https://www.cnil.fr/fr/point-detape-sur-les-activites-de-la-cnil-dans-le-contexte-du-covid-19

 

Country: France
Subject: A decree creating the notion of “co-exposed” person came into force
Publication date: 01/22/2021
Description: This new concept refers to people present at an event where the protective measures could not be respected and where a confirmed case of COVID-19 has been identified. The information concerning these individuals will now be integrated into the Contact Covid file in order to monitor them and alert them if necessary. In addition, the decree also extends the definitions of high-risk events and locations, which considerably expands the data collected in the information system, as the CNIL points out in its deliberation.
Link(s):
https://www.ticsante.com/story/5521/covid-19-un-decret-cree-la-notion-de-personne-co-exposee.html
https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000043023857