COVID-19: CYBERSECURITY WATCH #34 – April 15, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on a malware spreading campaign on collaboration tools

Attack: Cybercriminals impersonate the World Health Organization (WHO) on Discord and Slack to spread malware
Method: Phishing campaign
Target: General public
Publication date: 04/07/2021
Link(s):
https://blog.talosintelligence.com/2021/04/collab-app-abuse.html

Description 

As remote working becomes the norm during the COVID-19 pandemic, Talos researchers analyzed the changing tactics of cybercriminals. Talos has observed a significant increase in the misuse of several collaboration platforms to spread malware such as Discord and Slack.

The use of these collaborative platforms provides an additional means of implementing social engineering techniques to easily convince victims to open malicious attachments. This type of distribution has been used to transmit a variety of RATs (Remote Access Trojans) and other malware such as:

  • Agent Tesla
  • AsyncRAT
  • Formbook
Modus operandi

Cybercriminals has posed as the World Health Organization (WHO). The e-mail sent to the victims asks them to download a new COVID-19 prevention document hosted via Discord. The download link redirects to a ZIP archive containing a batch file (“.bat”). This script will then download a Word document from Google Drive. Once opened, the document triggers a macro that is activated when the document is closed, which downloads the “Nymaim” Trojan from a compromised website.

This is a complex infection process involving several services including Discord and Google Drive. However, the process requires the victim to open several files before the infection is complete.

Indicators of compromise (IoCs) are listed at the end of the Talos Intelligence article.

 

THREATS

Attack: Companies working to deliver COVID-19 vaccines and therapeutics to curb the pandemic targeted by cyberattacks
Method: Spear-phishing
Target: Executives with access to clinical research to intellectual property
Publication date: 03/31/2021
Description: In the first quarter of 2021, SlashNext Threat Labs observed that more than 1,000 domains of companies involved in COVID-19 research were targeted by spear-phishing. Cybercriminals are redirecting victims to Office 365 login pages hosted on legitimate domains in an effort to steal sensitive account credentials.
Link(s):
https://www.slashnext.com/blog/thousands-of-zero-day-spear-phishing-attacks-continue-to-target-covid-19-pharmaceuticals/

Attack: The French national center for distance education (CNED) targeted by cyberattacks
Method: Distributed Denial of Service (DDoS) attack
Target: Website CNED.fr
Publication date: 04/06/2021
Description: Following the new measures to fight against COVID-19 in France, several million students have started distance learning. However, the institutional platforms of the “CNED.fr” and the educational continuity Website “Ma classe à la maison”, which are designed for this purpose, have suffered from slow connections and interruptions. According to the national education, these slow connections would be the consequence of several DDoS attacks.
Link(s):
https://www.education.gouv.fr/ma-classe-la-maison-et-ent-322883
https://www.web24.news/u/2020/04/cned-victim-of-several-cyberattacks-since-the-start-of-containment.html

Attack: A French hospital was hit by a ransomware
Method: Currently unknown
Target: The hospital of Saint-Gaudens, Comminges-Pyrénées
Publication date: 04/08/2021
Description: This cyberattack paralyzed the hospital’s information system. Except for the emergency department, many of its healthcare activities have been suspended, including the booking of appointments for COVID-19 tests. This is the fourth French hospital targeted by ransomware since February, after the attacks against the hospitals of Oloron-Sainte-Marie, Villefranche-sur-Saône and Dax reported in previous bulletins.
Link(s):
https://www.ladepeche.fr/2021/04/09/cyberattaque-a-saint-gaudens-lhopital-reprend-ses-activites-9478743.php

 

FRAUDS

Attack: Cybercriminals use fake surveys with COVID-19 decoys to steal money and personal information
Method: Phishing campaigns
Surface/Application: E-mails/text messages
Publication date: 04/01/2021
Description: The U.S. Department of Justice (DOJ) warns of phishing campaigns promising cash or prizes after participating in fake COVID-19 vaccine surveys. In order to receive their prize, victims are asked to pay shipping costs or provide personal information. The attackers will then use the collected data to develop new frauds.
Link(s):
https://www.bleepingcomputer.com/news/security/us-doj-phishing-attacks-use-vaccine-surveys-to-steal-personal-info/

 

USEFUL RESOURCES

Type of resources: Trend Micro researchers analyze the use of COVID-19 vaccines as a lure by cybercriminals
Target: General public
Publication date: 03/31/2021
Description: This blog post highlights the use of vaccines as attack vectors by attackers. It details, with various case studies, malware, spam, phishing schemes, malicious websites, and illicit markets that have been used to perpetrate the scams. Trend Micro also presents solutions to protect against these types of threats
Link(s):
https://www.trendmicro.com/en_us/research/21/c/injecting-deception-covid-19-vaccine-related-threats.html

Type of resources: Two Websites propose a system of alerts indicating the availability of vaccination appointments
Target: General public
Publication date: 04/07/2021
Description: “Covidliste” is a platform that connects healthcare facilities and professionals who have unused vaccine doses with eligible and ineligible volunteers. “Vite Ma Dose” is a “CovidTracker” tool that allows you to detect Covid-19 vaccination appointments in your area. In contrast to “Covidliste”, it is necessary to be eligible to receive the vaccine.
Link(s):
https://www.lesechos.fr/tech-medias/hightech/covidliste-et-vite-ma-dose-initiatives-citoyennes-pour-fluidifier-la-vaccination-1304976
https://covidtracker.fr/vitemadose/
https://www.covidliste.com/

Type of resources: The French National anti-Scam Task-Force proposes prevention guide
Target: General public
Publication date: 04/07/2021
Description: The health crisis has led to an increase in fraudulent maneuvers on consumers and businesses. In this context, the National Police Task-Force reminds us of good practices to adopt in order to protect ourselves from online shopping scams, fake administrative sites and phishing campaigns.
Link(s):
https://www.police-nationale.interieur.gouv.fr/Actualites/L-actu-police/Guide-de-prevention-contre-les-arnaques-un-appel-a-la-vigilance

 

OTHER NEWS

Country: Germany
Subject: Personal data of thousands of people tested for COVID-19 leaked online
Publication date: O4/10/2021
Description: German security experts from the IT collective “Zerforschung” discovered a security flaw that made the names, addresses, dates of birth, telephone numbers and e-mail addresses of 17,000 people screened for COVID-19 and 7,000 test results accessible for several hours. Eventus Media International, which has been commissioned by the Department of Health (BMG) to manage the registration of 9 test centers in Hamburg, Berlin, Dortmund, Leipzig and Schwerte, has indicated its intention to submit its IT systems to security checks.
Link(s):
https://pledgetimes.com/huge-glitch-data-leak-at-corona-test-centers-thousands-of-people-affected-2/
https://zerforschung.org/posts/eventus-testzentren/