COVID-19: CYBERSECURITY WATCH #37 – June 03, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

THREATS

Attack: New Zealand healthcare provider hit by cyberattack
Method:
Phishing campaign
Target:
Waikato District Health Board (DHB)
Publication date:
05/19/2021
Description:
The cyberattack paralyzed computer systems, leading to the cancellation of many surgeries and outpatient activities at the 6 DHB-affiliated hospitals. In a statement, the health board invited only those with urgent needs to come to its health centers while indicating that scheduling of tests and vaccinations at COVID-19 remained operational.
Link(s):

https://www.waikatodhbnewsroom.co.nz/2021/05/19/waikato-dhb-information-system-update/
https://www.nzherald.co.nz/nz/waikato-dhb-cyber-attack-health-chief-delivers-update-two-weeks-after-hackers-cripple-it-systems/CXIMQLHZGYCQ3KV5K3CNETIBPQ/

 

Attack: Alaska Department of Health and Social Services hit by cyberattack
Method:
Currently unknown
Target:
Department of Health and Social Services (DHSS) Website
Publication date:
05/18/2021
Description:
In a statement, the DHSS reported a cyberattack that impacted the servers, computer systems and databases of its “dhss.alaska.gov” Website. However, even though the Website has been shut down, the service related to scheduling an appointment to receive the COVID-19 vaccine is still accessible because it is hosted on a different server. An investigation is in progress to determine if any confidential patient information has been compromised.
Link(s):

https://content.govdelivery.com/attachments/AKDHSS/2021/05/18
https://apnews.com/article/alaska-malware-health-coronavirus-pandemic-technology-632fac31013d719759330539bedefafd

 

Attack: FBI alert against the Conti ransomware, responsible for targeting healthcare facilities
Method:
Phishing campaign
Target:
Healthcare and first responder facilities
Publication date:
05/20/2021
Description:
The Conti ransomware, which operates as malware-as-a-service, is responsible for 16 attacks that have hit healthcare and first responder infrastructures such as emergency medical services or law enforcement. The criminal group is known to target the healthcare sector. It was previously involved in the attack on the Irish Health Service (HSE), reported in a previous watch bulletin.
Link(s):

https://www.aha.org/system/files/media/file/2021/05/fbi-tlp-white-report-conti-ransomware-attacks-impact-healthcare-and-first-responder-networks-5-20-21.pdf

 

Attack: Swedish public health agency hit by cyberattack
Method:
Currently unknown
Target:
SmiNet database
Publication date:
05/27/2021
Description:
The Swedish agency has shut down its database providing information on infectious diseases in the country after being targeted by cybercriminals. The database, named SmiNet, is used to store reports and statistics on COVID-19 infections. An investigation is underway to determine if sensitive information has been compromised.
Link(s):

https://www.bleepingcomputer.com/news/security/swedish-health-agency-shuts-down-sminet-after-hacking-attempts/

 

FRAUDS

Attack: Cybercriminals impersonate meal-kit delivery platforms to steal banking information
Method:
Smishing campaign
Surface/Application:
Text messages
Publication date:
05/18/2021
Description:
With the rise of meal-kit delivery due to the COVID-19 pandemic, attacks targeting users of this type of platform are increasing. Researchers at Tessian have uncovered smishing campaigns impersonating meal-kit providers like HelloFresh or Gousto. Cybercriminals send fraudulent text messages asking users to click on a link that leads to a Website prompting them to enter their personal data. 
Link(s):

https://threatpost.com/scammers-meal-kit-services-customer-data/166282/

 

Attack: Cybercriminals exploit employees’ return to company offices to launch cyberattacks
Method:
Spear-phishing campaign
Surface/Application:
E-mails
Publication date:
05/27/2021
Description:
Cybercriminals are impersonating the Chief Information Security Officer (CISO) in order to send employees e-mails about new procedures to implement in a post-pandemic environment. The fraudulent e-mail contains a link to a page with two documents. In order to open these documents, the employee must provide login information that will then be collected by the attackers.
Link(s):

https://cofense.com/blog/phishing-credentials-covid/

 

Attack: Cybercriminals impersonate Walmart to steal personal information
Method:
Phishing campaign
Surface/Application:
E-mail
Publication date:
05/29/2021
Description:
Taking advantage of the online delivery boom due to the COVID-19 pandemic, cybercriminals send fraudulent e-mails indicating that their Walmart package could not be delivered because of an incorrect e-mail address. The user is then prompted to update their e-mail address, which will be collected by the attackers. The information collected will be used to create new frauds or launch spear-phishing campaigns.
Link(s):

https://www.bleepingcomputer.com/news/security/beware-walmart-phishing-attack-says-your-package-was-not-delivered/

 

Attack: Telegram messaging app used to sell fraudulent COVID-19 vaccination cards
Method:
Scam
Surface/Application:
Telegram
Publication date:
05/12/2021
Description:
With the emergence of vaccination campaigns and new measures to fight the pandemic, cybercriminals are using Telegram to sell fake vaccination cards. The fraudsters are attaching misinformation articles to their offer, presenting the harms of COVID-19 vaccines. The goal is to use the fear generated by the secondary effects of the vaccines to demonstrate the value of their offer and to encourage purchases.
Link(s):

https://threatpost.com/telegram-forged-covid-19-vaccine-cards/166093/

 

Attack: Cybercriminals target a U.S. organization delivering unemployment benefits to launch a fraud
Method:
Currently unknown
Surface/Application:
Website
Publication date:
05/26/2021
Description:
Researchers at cybersecurity firm Agari uncovered a conversation by Nigerian cybercriminals discussing how to commit unemployment impersonation via the Texas Workforce Commission (TWC) Website. In doing so, the criminal organization, known as Scaterred Canary, is attempting to fraudulently recover benefits offered for job loss due to COVID-19.
Link(s):

https://www.cybersecurity-insiders.com/texas-unemployment-website-hit-by-identity-fraud-cyber-attacks/

 

USEFUL RESOURCES

Type of resources: French government launches digital reminder book to report potential contact cases
Target:
General public
Publication date:
05/21/2021
Description:
People wishing to go to high-risk places (restaurants, bars) will have to scan a QR-Code via the TousAntiCovid application. The information collected will be encrypted and will correspond to the location, size and type of establishment frequented. Then, if an individual is found to be a contact case, all individuals who have been in the establishment will receive a notification with a color code according to the risk of exposure and instructions to follow.
Link(s):

https://www.lemondeinformatique.fr/actualites/lire-tousanticovid-la-fonction-signal-lancee-pour-acceder-a-certains-lieux-83034.html

 

Type of resources: Facebook develops new measures to fight misinformation, especially related to COVID-19
Target:
General public
Publication date:
05/26/2021
Description:
The Web giant is launching new functionalities in order to increase the user’s knowledge of the publications consulted and to reduce the diffusion of misinformation articles shared by ill-intentioned individuals. These measures include the implementation of an information verification system that will evaluate the published content and then notify and reduce the exposure of the article if it is considered as transmitting misinformation.
Link(s):

https://about.fb.com/news/2021/05/taking-action-against-people-who-repeatedly-share-misinformation/

 

Type of resources: Ameli health insurance launches a website to visualize the vaccination campaign in France
Target:
General public
Publication date:
05/28/2021
Description:
In order to inform the population about the deployment of the COVID-19 vaccination in France, Ameli has created “datavaccin-covid.ameli.fr”. Using the databases of the health insurance and the National Institute of Statistics and Economic Studies (INSEE), the Website offers a cartography of vaccinated populations by department. The results can be filtered by age or type of vaccine administered.
Link(s):

https://www.ameli.fr/assure/actualites/covid-19-lancement-de-data-vaccin-covid-un-site-pour-visualiser-la-couverture-vaccinale-en-france
https://datavaccin-covid.ameli.fr/pages/home/

 

Type of resources: The “Digital Alliance against COVID-19” consortium launches a platform for evaluating and managing the mental health of patients
Target:
General public
Publication date:
05/27/2021
Description:
The platform, named “CoronaPsy.fr” and referenced on the Website of the Ministry of Solidarity and Health, offers the opportunity to all those wishing to know their clinical status to test their mental health impacted by the pandemic. The system, which is free of charge and anonymous, provides help in finding the right treatment for the patient’s situation, while informing about the offers proposed by the government and health insurers. 
Link(s):

https://www.ticsante.com/story/5702/l-alliance-digitale-contre-le-covid-19-deploie-sa-plateforme-coronapsyfr.html
https://maladiecoronavirus.fr/

 

OTHER NEWS

Country: France
Subject:
Misinformation campaign uses influencers to denigrate COVID-19 vaccine
Publication date:
05/25/2021
Description:
French youtubers were contacted by a communication agency called Fazze to discredit the BioNTech-Pfizer vaccine in exchange for money. The French Minister of Health reacted by condemning this type of operation while indicating the progress of the vaccination campaign.
Link(s):

https://www.presse-citron.net/vaccins-une-campagne-de-desinformation-a-fait-appel-a-des-youtubeurs-francais/
https://www.bfmtv.com/sante/c-est-minable-olivier-veran-reagit-a-la-campagne-de-denigrement-du-vaccin-pfizer_VN-202105250162.html

 

Country: United States
Subject:
U.S. Department of Justice (DOJ) launches a Task Force to combat COVID-19 fraud
Publication date:
05/17/2021
Description:
Cybercriminals have taken advantage of U.S. federal benefits specifically put in place to limit the economic impact of the pandemic to develop frauds. To combat these attacks, the DOJ is creating a Task Force involving a dozen federal agencies such as the Department of Labor and the Department of Homeland Security. The goal is to detect fraud, dissuade cybercriminals and recover fraudulently acquired funds.
Link(s):

https://www.justice.gov/opa/pr/attorney-general-announces-task-force-combat-covid-19-fraud

 

Country: United States
Subject:
Healthcare nonprofit reports data leak of thousands of patients
Publication date:
05/25/2021
Description:
In a statement, Rehaboth Mckinley Christian Health Care Service (RMCHCS) reported a data breach on its Website impacting 200,000 patients and employees. The health care provider distributes COVID-19 vaccines in Arizona and New Mexico. Among the information exposed was patients’ identities, medical record numbers, treatment and diagnosis.
Link(s):

https://portswigger.net/daily-swig/us-healthcare-non-profit-reports-data-breach-impacting-200-000-patients-employees
https://response.idx.us/rmchcs/

 

Country: Canada
Subject:
Website security breach exposes personal data of patients who booked COVID-19 vaccine appointments
Publication date:
05/22/2021
Description:
A member of the Hackfest community discovered a vulnerability on the Clic Santé Website. The latter is used by Quebecers to make an appointment to be vaccinated against COVID-19. The breach, which is believed to be due to human error, does not expose the name of the person who made the appointment. However, the health insurance number that provides information on the date of birth, gender and certain letters of the patient’s first and last name has been compromised. 
Link(s):

https://ici.radio-canada.ca/nouvelle/1795328/faille-informatique-clic-sante-ministere-sante-vaccination

 

Country: India
Subject:
Security breach in the Website in charge of public health surveillance and monitoring in Bangalore exposes data related to COVID-19
Publication date:
05/27/2021
Description:
A coalition of Indian organizations, called the Free Software Movement of India, has uncovered a data leak due to a vulnerability in a software used by the Bruhat Bengaluru Mahanagara Palike Website. The exposed information can be accessed with a simple phone number and includes, among other things, the name, COVID-19 test result and the name of the patient’s hospital, if he has been hospitalized.
Link(s):

https://www.news18.com/news/india/health-data-breach-bengaluru-civic-body-exposes-covid-19-patients-info-blocks-website-after-alert-3781106.html
https://twitter.com/fsmi_in/status/1397420181584891906/photo/1