COVID-19: CYBERSECURITY WATCH #30 – February 19, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the Lampion banking Trojan

Attack: Cybercriminals impersonate Portugal Ministry of Health to spread the Lampion banking Trojan
Method: Phishing campaign
Target: General public in Portugal
Publication date: 02/12/2021
Link(s):
https://securityaffairs.co/wordpress/114496/cyber-crime/lampion-trojan-portugal-covid19.html
https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/

Description

Lampion is a banking Trojan, which made its first appearance at the end of 2019. Since then, new versions appeared in early 2021. It seems this malware has not undergone any major changes between the different waves of attacks. During the first attack in late 2019, Lampion targeted Portugal with an e-mail template imitating the Portuguese Ministry of Finances and “Energias de Portugal” (EDP).

In 2020, other attacks took place, following the same process but adopting a different e-mail template. Finally, the attacks observed in February 2021 are similar to the previous ones, except for the template, which imitates Portugal Health Ministry and pretends to provide information on the COVID-19 vaccination campaign.

This Trojan, sent via phishing campaigns using various templates (banking, energy, communication related to COVID-19), seems to only target Portugal.

Modus operandi

A host compromised with the banking Trojan Lampion can be broken down into several stages. First, the attackers set up a phishing campaign in order to affect as many people as possible. These e-mails imitate private and public entities well known by the population.

These e-mails contain three files:

  • A PDF file;
  • A text file;
  • A “VBS” file.

A “VBS” file is a “VBScript” file, short for “Microsoft Visual Basic Scripting Edition”. This scripting language is an interpreted language. Interpreted languages are often high level and easily understandable, even for someone who does not master them. However, attackers can “obfuscate” the code to make its analysis harder, a process that aims to discourage analysts and waste their time. It is important to note that the VBS code’s obfuscation is the most important update between the December 2019 and May 2020/February 2021 waves of attacks.

The infection of a user workstation does not occur when downloading the attachment but he executes this “VBS” file. It therefore requires a user action. When a user executes this script, it will download two files:

  • The Lampion malware: a “dll” file which is actually a Windows executable file;
  • A zip archive: this archive contains a library of functions used by the malware.

These files are hosted on cloud infrastructures such as AWS S3 or Google Storage. The “VBS” file is therefore a two-stage dropper.

When the “VBS” script has downloaded these two malicious files, it executes the Trojan horse. Lampion will also load in memory the library compressed in the zip archive. The malware embeds JPEG images to modify its signature and bypasses some antivirus programs. In addition, during the malware’s execution, a shortcut file “lnk” is created in the Windows Startup folder. It allows the malware to be executed at each startup of the infected device. At the end of its execution, the malware forces the machine to restart in order to fully compromise it.

The malware uses a protection called “vmprotect”, which aims to obfuscate the malware code and complicate reverse engineering, in order to further discourage analysts. Moreover, this malware is able to detect if it is analyzed or if it is in a virtual environment.

Finally, this malware sends information about the infected computer to a command and control (C2) server. The purpose of this server is to retrieve the information sent by the malware but also to control it.

It is recommended to take notice of the MITRE ATT&CK matrix to find out about Lampion’s techniques, tactics and procedures (TTPs), featured at the end of the article from Segurança Informatica.

 

THREATS

Attack: The Dax Hospital was hit by a ransomware
Method: Currently unknown
Target: Dax-Côte d’Argent Hospital center, France
Publication date: 02/09/2021
Description: Perpetrated during the night of February 8 to 9, this cyberattack paralyzed the hospital’s information system. Except for the most serious emergencies, many of its healthcare activities have been suspended, including the COVID-19 vaccination center. The Paris Public Prosecutor’s Office, in charge of the investigation, confirmed the ransom demand. The French National Cybersecurity Agency (ANSSI) is also involved. Meanwhile, nine hospitals in the Dordogne region of France reportedly avoided a similar attack targeting their IT provider.
Link(s):
https://twitter.com/chdax/status/1359159568681566208
https://portswigger.net/daily-swig/dax-cote-dargent-hospital-in-france-hit-by-ransomware-attack
https://www.france24.com/en/europe/20210216-cyber-attacks-hit-two-french-hospitals-in-one-week

 

Attack: The Ryuk ransomware targets the Villefranche-sur-Saône Hospital center
Method: Currently unknown
Target: Villefranche, Tarare and Trévoux facilities of the North-West Hospital, France
Publication date: 02/15/2021
Description: Detected in the early morning of February 15, this attack was limited by hospital teams who disconnected workstations and cut off access to the information system. Emergency and telephone services have been paralyzed but no patient transfers are planned and vaccination against COVID-19 is unaffected. An investigation is underway with the support of the ANSSI. Read our Focus on the Ryuk ransomware featured in a previous newsletter.
Link(s):
https://twitter.com/chdax/status/1359159568681566208
https://www.france24.com/en/europe/20210216-cyber-attacks-hit-two-french-hospitals-in-one-week

 

Attack: The pharmaceutical company Pfizer has reportedly been targeted by North Korean cybercriminals
Method: Currently unknown
Target: Pfizer research laboratory
Publication date: 02/16/2021
Description: A South Korean lawmaker said that the National Intelligence Service (NIS) reportedly identified an attack by North Korean cybercriminals on the pharmaceutical company Pfizer in an effort to obtain information about their COVID-19 vaccine. This allegation follows previous reports about a North Korean cyber-espionage campaign targeting various organizations involved in vaccine development. Confidential Pfizer/BioNTech documents were also leaked following a cyberattack on the European Medicines Agency (EMA).
Link(s):
https://www.reuters.com/article/us-northkorea-cybercrime-pfizer-idCAKBN2AG0NI

 

Attack: The QIMR Berghofer Medical Research Institute was impacted by the compromise of a file transfer application (FTA) provided by Accelion
Method: Exploitation of a zero-day vulnerability
Target: QIMR Berghofer Medical Research Institute in Brisbane, Australia
Publication date: 02/11/2021
Description: Notably involved in COVID-19 research, the Australian Institute was alerted by Accelion of a likely data breach caused by a vulnerability in its file transfer application. The potentially compromised data includes information on researchers and patients involved in malaria treatment trials. The Singaporean firm’s software was recently compromised by cybercriminals through the exploitation of an SQL injection vulnerability that resulted in a series of cyberattacks.
Link(s):
https://www.qimrberghofer.edu.au/media-releases/qimr-berghofer-investigates-suspected-accellion-data-breach/
https://portswigger.net/daily-swig/australian-research-institute-confirms-likely-data-breach-after-third-party-accellion-hack
https://www.cyber.gov.au/acsc/view-all-content/alerts/potential-accellion-file-transfer-appliance-compromise

 

FRAUDS

Attack: A cybercriminal hijacked Pennsylvania’s COVID-19 vaccination hotline
Method: Vishing
Surface/Application: Telephone
Publication date: 02/05/2021
Description: Created to schedule vaccination appointments for elderly people without an Internet access, this service has been partially compromised by a cybercriminal. He managed to redirect calls in order to ask victims to disclose their credit card information. The issue was quickly resolved but the investigation has not yet determined how many people fell victim to this fraud.
Link(s):
https://edition.cnn.com/2021/02/05/us/hackers-intercept-covid-hotline-pennsylvania-trnd/

 

USEFUL RESOURCES

Type of resources: A Twitter bot to follow the vaccination campaign against COVID-19 in France
Target: General public
Publication date: Daily updates
Description: Created by two journalists working for the newspaper Les Échos, this bot uses data provided by Santé Publique France, publicly available on data.gouv.fr. Since February 11, it provides information on the number of people who have received two vaccine doses, an information published by Santé Publique France since February 2.
Link(s):
https://twitter.com/BotDuVaccin
https://www.numerama.com/sciences/686971-vous-pouvez-suivre-lavancement-de-la-vaccination-en-france-grace-a-ce-compte-twitter.html

 

Type of resources: CTI League releases a report on darknet activities that exploit COVID-19 and target the healthcare sector
Target: Healthcare organizations, public entities
Publication date: 02/11/2021
Description: In this report focusing on darkweb threats, CTI League identifies the main ransomwares targeting the healthcare sector (Maze, Conti, Netwalker, REvil and Ryuk) and anticipates an increase in such attacks in the future. CTI League also highlights disinformation and phishing campaigns exploiting COVID-19 and darkweb markets that sell medical equipment. A more detailed version of this report is available upon request for public entities and law enforcement agencies.
Link(s):
https://cti-league.com/blog/darknet-report-2021/

 

OTHER NEWS

Country: France
Subject: A decree came into force to enable the introduction of QR Code in public places during the COVID-19 pandemic
Publication date: 02/14/2021
Description: This system would allow the reopening of certain public places and better notify individuals who have frequented them at the same time as a confirmed COVID-19 case. On this occasion, the French Data Protection Authority (CNIL) published its review of this decree, in which it stressed that the targeted public locations should be better defined and that their access should not be limited to people who have downloaded the TousAntiCovid contact tracing application.
Link(s):
https://www.zdnet.fr/actualites/tousanticovid-un-nouveau-decret-pose-les-bases-d-un-qr-code-dans-les-lieux-publics-39917915.htm
https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000043131033
https://www.cnil.fr/fr/la-cnil-rend-son-avis-sur-les-evolutions-de-lapplication-tousanticovid

 

Country: France – Ukraine
Subject: Alleged members of the Egregor ransomware group were arrested in Ukraine
Publication date: 02/14/2021
Description: A Franco-Ukrainian operation led to the arrest of several people linked to the Egregor cybercriminal group in Ukraine. According to France Inter, investigators were able to locate several suspects by tracing the ransom paid in Bitcoins through the blockchain. As a reminder, the Egregor group is the presumed successor of Maze, a group known to have targeted healthcare institutions during the COVID-19 pandemic.
Link(s):
https://www.bleepingcomputer.com/news/security/egregor-ransomware-members-arrested-by-ukrainian-french-police/

 

Country: Denmark – Sweden
Subject: Denmark and Sweden are developing a digital vaccination certificate
Publication date: 02/05/2021
Description: In Denmark, people who received two doses of the vaccine will be able to download a digital certificate as early as the end of February in order to facilitate their business trips abroad. This “corona passport” should then be available to the entire population through a mobile application. Sweden announced it is working on a similar system that should be available this summer. It would also be restricted to travelers going abroad at first.
Link(s):
https://www.rfi.fr/en/international/20210205-sweden-follows-denmark-in-move-to-introduce-digital-vaccine-passports-coronavirus-travel-europe