COVID-19: CYBERSECURITY WATCH #32 – March 18, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on the Dridex banking Trojan

Attack: Cybercriminals spoof the Internal Revenue Service (IRS) and exploit COVID-19 American Rescue Plan to spread Dridex
Method
: Phishing campaign
Target: General public in the United States and Canada
Publication date: 03/09/2021
Link(s):
https://www.proofpoint.com/us/blog/security-briefs/threat-actors-target-victims-promising-covid-19-relief-vaccines-and-variant
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

Description 

COVID-19 has been in the news for over a year and has affected a large number of people with health and economic hardships. The threat actor detailed in this focus massively spread the Dridex malware via e-mail exploiting the COVID-19 American Rescue Plan.

Modus operandi

The Dridex banking Trojan appeared in 2014. This new variant of the Bugat malicious code works with sets of bots managed by an affiliate model of the Evil Corp group. The bots communicate with each other in a Peer-to-Peer network and they are organized according to their industry and geographic target.

Dridex allows stealing access codes of online banks. Once the accounts are compromised, the attacker can perform fraudulent money transfers. In order for the victim to authenticate from a malicious form, Dridex has three possible Web injections. If Dridex compromises legitimate online banking Web pages, it can inject HTML code to add forms to them. On the other hand, Dridex can redirect the victim to a page spoofing an online bank. The Dridex stealer also has the ability to intercept responses from the Web server of a banking Website. The requests are relayed towards to the attackers’ PHP server, malicious code is injected and then transmitted to the victim.

This malware has a “loader” module that allows performing recognition, installing the payload and downloading the additional modules. The core module consists of a keylogger that allows the attacker to discover the context about the victim. The payload also detects installed Internet browsers to allow Dridex to use a working Web injection.

In this phishing campaign, the user receives an e-mail claiming to be from the IRS that prompts him to click on a link in order to apply to the COVID-19 American Rescue Plan. This link opens an Excel file that asks the user’s permission to activate the content. If the latter accepts, a malicious macro is triggered allowing the Dridex malware to run. When the victim goes to authenticate on their online banking platform from their own browser, the Dridex malware will have modified the authentication form in order to retrieve their login information.

Recommendations 

In order to protect yourself from this type of attack, it is recommended that you use your Web browser directly rather than opening a link from an e-mail.

 

THREATS

Attack: A cyberattack shuts down online learning in 15 English schools
Method: Currently unknown
Target: Nova Education Trust schools in Nottinghamshire
Publication date: 03/03/2021
Description: Nova Education Trust confirmed the cyberattack on Wednesday morning, March 3. The incident led to the temporary shutdown of all computer systems, prohibiting the proper continuation of online learning. School communications and websites are unavailable awaiting the completion of an investigation led by the Trust in collaboration with the National Cyber Security Center (NCSC).
Link(s):
https://www.nottinghampost.com/news/local-news/nova-education-trust-provides-update-5085926

 

Attack: Cybercriminals reportedly exploited Lithuanian infrastructure to target companies involved in the development of COVID-19 vaccines
Method: Currently unknown
Target: Foreign entities developing COVID-19 vaccines
Publication date: 03/04/2021
Description: In its annual report, the State Security Department of Lithuania (VSD) claimed that the APT (Advanced Persistent Threat) group Cozy Bear/APT29 was behind the cyberattacks. This denunciation echoes an alert published in July 2020 by the NCSC, which already accused APT29 of targeting organizations involved in the development of a vaccine against COVID-19 in Canada, the United States and the United Kingdom.
Link(s):
https://apnews.com/article/lithuania-coronavirus-pandemic-covid-19-pandemic-national-security-russia-4f643495296f645e8957594034ec0367
https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development

 

Attack: A French hospital was hit by a ransomware
Method: Currently unknown
Target: Oloron-Sainte-Marie hospital, Pyrénées-Atlantiques department, France
Date of publication: 03/09/2021
Description: Perpetrated on March 8, this cyberattack paralyzed the hospital’s information system. Except for the emergency department and the COVID-19 vaccination campaign, many of its healthcare activities have been suspended. The cybercriminals demanding a ransom of 50,000 dollars in bitcoin, a complaint for extortion has been opened by the Paris Public Prosecutor’s Office. The French National Cybersecurity Agency (ANSSI) has also been informed. This is the third French hospital targeted by ransomware since February, after the attacks against the hospitals of Villefranche-sur-Saône and Dax reported in a previous watch bulletin.
Link(s):
https://www.larepubliquedespyrenees.fr/2021/03/09/une-cyberattaque-paralyse-l-hopital-d-oloron,2797093.php
https://www.lemonde.fr/pixels/article/2021/03/09/un-hopital-des-pyrenees-atlantiques-vise-a-son-tour-par-une-cyberattaque_6072505_4408996.html

 

FRAUDS

Attack: Hong Kong postal service usurped by cybercriminals to steal money from their victims
Method: Phishing campaign
Surface/Application: E-mails/text messages
Publication date: 03/10/2021
Description: Taking advantage of the pandemic’s delivery surge, cybercriminals sent a fraudulent e-mails or text messages, claiming that victims had to pay for the shipping costs of their deliveries. The victims were redirected to a phishing website where they were asked to enter their banking information, later used to make online purchases. Hong Kong police say that since November last year, 120 people have fallen victim to this campaign, allowing cybercriminals to steal more than 283,000 dollars in total.
Link(s):
https://www.scmp.com/news/hong-kong/law-and-crime/article/3124734/mail-delivery-phishing-scammers-cheat-hongkongers-out

 

USEFUL RESOURCES

Type of resources: Facebook launches new tools to raise awareness and track the COVID-19 pandemic
Target: General public
Publication Date: 03/15/2021
Description: Among the measures announced was the rollout of the COVID-19 information center on Instagram, a feature already available on Facebook since March 2020. In addition, Facebook has also launched a COVID-19-themed content aggregator on CrowdTangle, which provides access to the latest information relayed on social networks for 104 countries.
Link(s):
https://about.fb.com/news/2021/03/mark-zuckerberg-announces-facebooks-plans-to-help-get-people-vaccinated-against-covid-19/ 
https://about.instagram.com/blog/announcements/continuing-to-keep-people-safe-and-informed-about-covid-19
https://apps.crowdtangle.com/public-hub/covid19 

 

Type of resources:  Twitter introduces a system to ban users spreading misinformation about COVID-19 vaccines
Target: General public
Publication Date: 03/01/2021
Description: Twitter will apply tags to tweets deemed to contain misleading information about COVID-19 vaccines. Users behind these tweets will be permanently banned after five warnings. The company will use human moderators to decide on the relevance of tweets and then create automated misinformation detection tools. 
Link(s):
https://blog.twitter.com/en_us/topics/company/2021/updates-to-our-work-on-covid-19-vaccine-misinformation.html
https://www.zdnet.fr/actualites/twitter-s-attaque-a-la-desinformation-sur-les-vaccins-contre-le-covid-19-39918767.htm

 

OTHER NEWS

Country: France
Subject: The French Data Protection Authority (CNIL) released its review on the decree allowing the use of smart cameras to measure the wearing of masks in public transport
Publication date: 03/12/2021
Description: This review follows the publication of a decree in March 10, 2021, which allows public transport companies and operators to use smart cameras in order to evaluate mask-wearing rates during the COVID-19 pandemic. The CNIL, which had requested the suspension of such systems last June, considers that this text now provides sufficient guarantees regarding the purpose of the intended data processing. Nevertheless, the CNIL emphasizes that it should not be used to sanction infractions.
Link(s):
https://www.cnil.fr/fr/avis-sur-le-decret-video-intelligente-port-du-masque

 

Country: France
Subject: Paris Court of Law has requested to block access to a website hosting the medical data of 500,000 French patients
Publication date: 03/04/2021
Description: Seized by the CNIL, Paris Court of Law has asked the main French Internet Service Providers (ISPs) to block access to a hosting company that was sharing a file containing medical data stolen from several laboratories. Reported in our previous newsletter, the distribution of this file was first reported by Zataz on February 14. Since then, the Secretary of State for Digital Transition, Cédric O, has stated that the French National Cybersecurity Agency (ANSSI) has been investigating this leak since November 2020.
Link(s):
https://www.cnil.fr/fr/fuite-de-donnees-de-sante-le-tribunal-judiciaire-de-paris-demande-le-blocage-dun-site-web

 

Country: United States
Subject: The U.S. Department of Justice seizes a domain name used to usurp the identity of a company involved in the development of the vaccine COVID-19
Publication date: 03/09/2021
Description: The domain name “usaregenermedicals.com” usurped a biotech company producing a treatment for COVID-19. The fraudulent website claimed to sell and distribute antibody drugs approved for the treatment of the virus. The goal was to collect victims’ personal information for the purpose of fraud, phishing campaigns or malware deployment.
Link(s):
https://www.justice.gov/usao-md/pr/maryland-us-attorneys-office-seizes-fifth-domain-name-purporting-be-website-biotech  

 

Country: United States
Subject: Personal information of patients screened for COVID-19 stored on unsecured servers
Publication date: 03/10/2021
Description: The testing service, operated by Premier Diagnostics and based in Utah, stored sensitive information on two unsecured Amazon S3 buckets. In total, more than 200,000 images of identity documents (driver’s licenses, medical insurance cards and passports) were accessible without the need for authentication.
Link(s):
https://www.comparitech.com/blog/information-security/utah-covid-test-center-leak/