COVID-19: CYBERSECURITY WATCH #31 – March 4, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

THREATS

Attack: Nearly 500,000 French patients affected by a leak of medical data from several laboratories
Method: Currently unknown
Target: 28 laboratories in six French departments
Publication date: 02/25/2021
Description: The stolen information reportedly includes patients’ personal and medical information (identity, date of hospitalization, social security number, e-mail address, etc.). The affected laboratories share the same management software provided by Dedalus France. The latter announced its cooperation with the competent authorities to identify the source of the attack. The French Data Protection Authority (CNIL) has also issued a statement on the incident and the associated risks for the victims.
Link(s):
https://www.france24.com/en/europe/20210225-france-investigates-massive-leak-of-medical-records
https://www.cnil.fr/fr/fuite-massive-de-donnees-de-sante-comment-savoir-si-elle-vous-concerne-et-que-pouvez-vous-faire

 

Attack: A cyberattack targeted a laboratory of Oxford University involved in the research on COVID-19
Method: Currently unknown
Target: Division of Structural Biology (Strubi) of the Oxford University
Publication date: 02/25/2021
Description: Cybercriminals gained access to machines used to prepare biochemical samples used in coronavirus research.  The information was confirmed by the Oxford University, which stated that no personal or medical data about patients has been compromised and that its research was not affected by the attack. The British National Cyber Security Centre (NCSC) is investigating the case.
Link(s):
https://www.forbes.com/sites/thomasbrewster/2021/02/25/exclusive-hackers-break-into-biochemical-systems-at-oxford-uni-lab-studying-covid-19/

 

Attack: Chinese cybercriminals targeted two Indian pharmaceutical firms involved in the production of COVID-19 vaccines
Method: Currently unknown
Target: Bharat Biotech and the Serum Institute of India (SII)
Publication date: 03/01/2021
Description: According to Cyfirma, the Chinese Advanced Persistent Threat (APT) group Stone Panda/APT10 exploited vulnerabilities in the IT infrastructure and supply chain of both companies to steal confidential information. The SII is currently responsible for producing the AstraZeneca vaccine and is expected to produce the Novavax vaccine in the near future. As for Bharat Biotech, it produces India’s COVAXIN vaccine. Cyfirma notified the CERT-In of the attack.
Link(s):
https://www.reuters.com/article/health-coronavirus-india-china/update-1-chinese-hackers-target-indian-vaccine-makers-sii-bharat-biotech-says-security-firm-idUSL2N2KZ13L

 

Attack: Cybercriminals impersonate the Turkish government to distribute Anubis and Cerberus Trojans
Method: Phishing campaigns
Target: General public in Turkey
Publication date: 02/24/2021
Description: Distributed on various platforms (text messages, e-mails, Twitter, etc.), these campaigns claim to provide financial aid given during the COVID-19 pandemic in order to convince their targets to click on a link that downloads a malicious application. The victims’ devices are then infected with Cerberus or Anubis Trojans, which are notably capable of stealing their login credentials by injecting invisible forms over banking and social network applications. Read our Focus on the Anubis Trojan featured in a previous newsletter.
Link(s):
https://www.riskiq.com/blog/external-threat-management/turkey-dog-covid-lures/

 

FRAUDS

Attack: Cybercriminals mimic the NHS website to steal personal information
Method: Phishing campaign
Surface/Application: e-mails
Publication date: 02/16/2021
Description: The fraudulent e-mails claim that their targets are eligible to be vaccinated against COVID-19 to redirect them to a website that accurately mimics the NHS website. Victims are then asked to provide their personal information (name, date of birth, etc.) and bank details. Once in their possession, this data could be used by cybercriminals to impersonate their victims and carry out new frauds.
Link(s):
https://news.sky.com/story/covid-organised-crime-behind-convincing-fake-nhs-vaccine-invitation-emails-12219985
https://www.ncsc.gov.uk/report/weekly-threat-report-19th-february-2021

 

USEFUL RESOURCES

Type of resources: The French National Cybersecurity Agency (ANSSI) updated its report on the Ryuk ransomware
Target: Cybersecurity professionals
Publication date: 02/26/2021
Description: This update comes after the discovery of a new variant of the ransomware that can automatically propagate within infected networks and has been detected during recent attacks. Ryuk is one of the main ransomwares targeting the healthcare sector, especially since the beginning of the COVID-19 pandemic, as evidenced by the attack on the Villefranche-sur-Saône hospital center, reported in the previous newsletter.
Link(s):
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-006/

 

Type of resources: A monitoring tool to follow government health policies created by Oxford University
Target: General public
Publication date: Daily updates
Description: This tool is designed to follow the evolution of health policies implemented in response to the COVID-19 pandemic in more than 180 countries. It is based on a wide range of data sources and indicators (vaccination policy, travel restrictions, contact tracing, etc.) to provide a comparison of the stringency of the implemented measures. The data used is freely accessible and a cartographic visualization of the various indicators is available on the website ourworldindata.org.
Link(s):
https://www.bsg.ox.ac.uk/research/research-projects/coronavirus-government-response-tracker
https://covidtracker.bsg.ox.ac.uk/stringency-scatter/
https://ourworldindata.org/policy-responses-covid

 

OTHER NEWS

Country: International
Subject: Researchers developed COVIDGuardian, a tool to assess the security and privacy of contact tracing applications
Publication date: 02/25/2021
Description: COVIDGuardian analyzed 40 contact tracing applications and found that a majority of them had security and privacy breaches. Three-quarters of them use at least one insecure encryption algorithm and share information with third parties such as Google Firebase and Facebook Analytics. In addition, a malware was discovered in the Kyrgyz application. After contacting the vendors, four of the applications were fixed.
Link(s):
https://www.qmul.ac.uk/media/news/2021/se/new-tool-reveals-security-and-privacy-issues-with-contact-tracing-apps.html
https://arxiv.org/abs/2006.10933
https://covid-guardian.github.io/

 

Country: Jamaica
Subject: COVID-19 screening results and quarantine orders for hundreds of thousands of travellers exposed online
Publication date: 02/17/2021
Description: Mostly used by foreign travelers, the JamCOVID website was taken offline after a series of vulnerabilities were discovered. An insecured cloud storage server was initially identified, leaving its data freely accessible (immigration documents, test results, quarantine verification videos). A file containing the passwords giving access to these databases was then discovered, exposed on an open directory on the website. The last flaw identified allowed an external person to access the quarantine orders from an Internet browser.
Link(s):
https://techcrunch.com/2021/02/26/amber-group-jamcovid-data-exposed/
https://techcrunch.com/2021/02/22/jamaica-amber-group-jamcovid-security-lapse/
https://techcrunch.com/2021/02/17/jamaica-immigration-travelers-data-exposed/

 

Country: India
Subject: More than 8 million COVID-19 test results exposed online
Publication date: 02/24/2021
Description: All test reports from the state of West Bengal are reportedly at risk. In addition to the results, they include personal information about the patients (name, age, time and location of the test, address, etc.).The URL sent by text message to retrieve the test results included an easily decipherable identification number, allowing new URLs to be constructed in order to access other patients’ results.  The West Bengal Ministry of Health has since fixed the vulnerability.
Link(s):
https://www.bleepingcomputer.com/news/security/over-8-million-covid-19-test-results-leaked-online/

 

Country: Ireland
Subject: Personal information of persons vaccinated against COVID-19 have been exposed online
Publication date: 02/25/2021
Description: The vaccination database used by the Health Service Executive (HSE) has been exposed due to human error, leaving it accessible to unauthorized persons. The affected data include the Personal Public Service number (PPS), the location of the patient’s vaccination, their telephone number and address.
Link(s):
https://www.irishmirror.ie/news/irish-news/health-news/private-information-thousands-who-received-23566568