COVID-19: CYBERSECURITY WATCH #36 – May 20, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

THREATS

Attack: Cybercriminals send a text message using a COVID-19 vaccination campaign lure to spread malware
Method:
Malicious application
Target:
Indian Android users
Publication date:
05/03/2021
Description:
This malware named “SMS Worm” sends a text message prompting Android users to click on a link to download a fake appointment-booking app to be vaccinated against COVID-19. Once the worm is installed, it can collect sensitive information from the device and perform tasks such as automatically sending text messages to the victim’s contacts.
Link(s):
https://cybleinc.com/2021/05/03/android-sms-worm-impersonating-covid-19-vaccine-registration-app-spreads-via-text-messages/

 

Attack: U.S. health care provider targeted by cyberattack
Method:
Currently unknown
Target:
Scripps Health, United States
Publication date:
05/02/2021
Description:
The cyberattack paralyzed the computer system and online appointment booking of the institution that operates five hospitals and 19 outpatient facilities in California. The organization issued a statement saying that emergency services and patient care were still operational. However, four of its hospitals have transferred some of their critical care patients to other healthcare facilities.
Link(s):
https://www.sandiegouniontribune.com/breaking/story/2021-05-02/scripps-hospitals-it-by-it-security-incident-but-patient-care-go
https://twitter.com/ScrippsHealth/status/1388942153682882560

 

Attack: Ukrainian government targeted by phishing campaign
Method:
Spear-phishing campaign
Target:
Ukrainian government security service
Publication date:
05/03/2021
Description:
FortiGuard Labs researchers uncovered a phishing campaign on behalf of the World Health Organization (WHO) with a fictitious COVID-21 as the subject. The e-mail originated from a political official at the U.S. Embassy and was distributed through Gmail servers. The cybercriminals are using a malware loader called Saint Bot that has been used in previous phishing campaigns targeting government organizations.
Link(s):
https://www.fortinet.com/blog/threat-research/spearphishing-attack-uses-covid-21-lure-to-target-ukrainian-government
https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/

Attack: Cybercriminals impersonate DHL to conduct a phishing campaign
Method: Phishing campaign
Target: General public
Publication date: 05/03/2021
Description: With the increase in online shopping due to the pandemic, carrier impersonation is increasingly used in phishing campaigns. In this case, cybercriminals are sending DHL shipping notices containing a link to a malicious Microsoft Word or Excel document download using a new variant of the Buer malware loader named RustyBuer.
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust https://thehackernews.com/2021/05/a-new-buer-malware-variant-has-been.html

 

Attack: Irish Health Service (HSE) victim of ransomware
Method:
Phishing campaign
Target:
Irish Health Service
Publication date:
05/17/2021
Description:
This cyberattack paralyzed the health organization’s IT systems. Apart from the radiology department and the cancellation of some appointments, most services remain functional, including emergency rooms and vaccination centers. The criminal group Conti, responsible for this attack, is known to target the health sector. It has already been the subject of an alert by the FBI and CISA reported in a previous watch bulletin. 
Link(s):
https://www.bleepingcomputer.com/news/security/irish-healthcare-shuts-down-it-systems-after-conti-ransomware-attack/
https://www.hse.ie/eng/services/news/media/pressrel/hse-cyber-security-incident.html

 

FRAUDS

Attack: Cybercriminals impersonate the World Health Organization (WHO) to launch a scam campaign
Method:
Fraudulent website
Surface/Application:
Internet
Publication date:
04/30/2021
Description:
A distributed network of 134 malicious websites posing as the WHO on World Health Day has been taken down.  The scam prompted users to take a fake survey promising a monetary reward for conducting phishing campaigns. To legitimize their actions, the cybercriminals posted fake comments from Facebook users who had received gifts and invited victims to share the survey link with their contacts.
Link(s):
https://www.group-ib.com/media/who-scam-campaign/

 

Attack: A French website to book an appointment to be vaccinated usurped by cybercriminals
Method:
Domain name theft
Surface/Application:
Internet
Publication date: 05/11/2021
Description: The website “Vite ma dose! “which helps to find vaccination slots has been usurped by ill-intentioned people. The latter have purchased the domain name “vitemadose[dot]fr” in which they convey messages hostile to vaccination. The authors of the usurpation would be related to the Committee for Research and Independent Information on Genetic Engineering (Criigen), an organization specialized in vaccine disinformation.
Link(s):

https://www.numerama.com/sciences/710556-attention-ce-faux-site-vite-ma-dose-ne-permet-pas-du-tout-de-trouver-un-rendez-vous.html

 

USEFUL RESOURCES

Type of resources: The medical appointment system Doctolib launches a Website that allows to follow the evolution of the vaccination campaign and to fight against misinformation
Target:
General public
Publication date:
04/29/2021
Description:
The website, “www.doctolib.fr/defivaccination,” provides access to statistics that help understand the COVID-19 vaccination campaign. The statistics come from local, regional, national, and global sources from Doctolib, Data.gouv.fr, and “Our world in data.” The information provided includes the volume and age of people vaccinated.
Link(s):

https://www.ticsante.com/story.php
https://about.doctolib.fr/vaccination/statistiques.html

 

OTHER NEWS

Country: United States
Subject:
U.S. Department of Justice seizes domain name falsely purporting to provide COVID-19 vaccines
Publication date:
05/03/2021
Description:
The U.S. Attorney’s Office for the District of Maryland has seized “freevaccinecovax.org” which purported to be the Website of a biotechnology company developing a COVID-19 vaccine. The information collected by the cybercriminals has been used to develop frauds, phishing campaigns or deploy malware.
Link(s):

https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/press-releases/maryland-us-attorneys-office-seizes-domain-name-falsely-purporting-provide-covid-19-vaccines
https://www.hackread.com/feds-seize-fraud-covid-19-vaccine-domain/ 

 

Country: United States
Subject:
Pennsylvania Department of Health (PDH) vendor’s failure to follow security protocol leads to compromise of COVID-19-related information
Publication date:
04/29/2021
Description:
Insight Global employees, who were responsible for collecting personal information from people who had been in contact with COVID-19, created copies of the collected data on unsecured servers. This action exposed the names, phone numbers, e-mail addresses and COVID-19 test results of 72,000 Pennsylvanians. PDH and the provider to determine the extent of the incident initiated an investigation.
Link(s):

https://www.wpxi.com/news/investigates/whistleblower-led-target-11-unsecured-contact-tracing-data-state/TCSWQQ5YPRDVDBSTE5IMVYSCH4/
https://insightglobal.com/notice-of-data-event

 

Country: United States
Subject:
Wyoming Department of Health (WDH) employee exposes thousands of health data related to COVID-19
Publication date:
04/27/2021
Description:
In a statement, WDH announce that an employee mistakenly uploaded, to private and public online storage locations on servers belonging to GitHub.com, the health information of 160,000 patients. Among the information exposed was the patient’s name, address, date of birth and COVID-19 test results.
Link(s):

https://health.wyo.gov/exposure-of-laboratory-test-result-data-described/

 

Country: United States
Subject:
Computer incident results in data leak from St. John’s Well Child and Family Center
Publication date:
05/06/2021
Description:
The center, which is responsible for delivering vaccines and COVID-19 tests at multiple sites in Los Angeles, experienced a security incident that resulted in the leak of 29,000 patients’ medical data. The information included names and social security identification numbers, medical treatment information and patient diagnoses.
Link(s):

https://www.wellchild.org/Website-Statement.St.Johns.pdf
https://www.beckershospitalreview.com/cybersecurity/la-clinic-that-hosts-covid-19-vaccine-test-sites-hit-by-data-breach-affecting-29-000.html

 

Country: United Kingdom
Subject:
Process error on UK National Health Service (NHS) Website allows leak of patient medical data
Publication date:
05/06/2021
Description:
The NHS Website allows users to book appointments for COVID-19 vaccinations. However, when entering personal information (last name, first name, date of birth, and postal code) the patient’s vaccination status is disclosed due to the answers offered by the platform.
Link(s):

https://www.theguardian.com/world/2021/may/06/nhs-covid-jab-booking-site-leaks-peoples-vaccine-status

 

Country: Unknown
Subject:
A student at a European institute involved in COVID-19-related research accidentally downloads software-containing Ryuk
Publication date:
05/06/2021
Description:
The student was looking for a free version of a software and decided to download a “crack” version instead. This version contained the Ryuk ransomware that collected the student’s credentials at the institute. Once penetration was achieved, the malware paralyzed the organization’s IT system. A week’s worth of research was lost, as well as data related to COVID-19, due to backups that were not fully up to date.
Link(s):

https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/
https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-research-institute-through-a-student-who-wouldnt-pay-for-software/