COVID-19: CYBERSECURITY WATCH #38 – June 17, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

THREATS

Attack: A Florida healthcare network victim of ransomware
Method:
Currently unknown
Target:
University of Florida Health (UF Health), United States
Publication date:
06/03/2021
Description:
The two hospitals, “The Villages Hospital” and “Leesburg Hospital”, belonging to the UF Health network, were targeted by a cyberattack. Aside from information systems, all healthcare operations remain operational, including services established to fight COVID-19.
Link(s):
https://www.bleepingcomputer.com/news/security/uf-health-florida-hospitals-back-to-pen-and-paper-after-cyberattack/



Attack: The Department of Health of an Australian state impacted by the compromise of a file transfer software provided by Accelion
Method:
Exploitation of a zero-day vulnerability
Target:
New South Wales Department of Health (NSW health), Australia
Publication date:
06/04/2021
Description:
NSW Health, in charge of managing COVID-19 in the Australian state, suffered a data breach caused by a vulnerability in Accelion’s file transfer software. The compromised data included identity and health information. However, public hospital medical records were not affected. This is the third Australian entity to be impacted by the exploitation of this vulnerability after the government entity Transport for NSW and the QIMR Medical Research Institute, reported in a previous watch bulletin.
Link(s):

https://www.zdnet.com/article/nsw-health-confirms-data-breached-due-to-accellion-vulnerability/
https://www.health.nsw.gov.au/news/Pages/20210604_02.aspx

 

Attack: Sensitive data belonging to healthcare providers exposed by cybercriminals
Method:
Currently unknown
Target:
GlobMed Saudi, Saudi Arabia – OSF HealthCare and Coastal Family Health Center, United States
Publication date:
06/11/2021
Description:
Cybercriminals exposed sensitive information belonging to healthcare entities on a dedicated Website. The data collected from healthcare provider GlobMed Saudi included information related to COVID-19 such as a census of people who were contact cases or had contracted the virus. The relatively unknown group of cybercriminals “Xing Team” is believed to be behind these attacks.
Link(s):

https://www.databreaches.net/healthcare-entities-in-saudi-arabia-illinois-and-mississippi-fall-prey-to-xing-team/

 

Attack: Polish government targeted by cyberattacks that led to a disclosure of data on COVID-19 restrictions in the country
Method:
Phishing campaign
Target:
Several institutions and members of the Polish government
Publication date:
06/15/2021
Description:
The Poland’s vaccination chief, Michal Dworczyk, is among the victims targeted by a phishing campaign aimed at their personal e-mail account. Documents were recently released on Telegram, including information about COVID-19 pandemic restrictions in the country. Dworczyk said, however, that none of the documents were confidential and that some of them were fabricated.
Link(s):

https://www.securityweek.com/poland-target-unprecedented-cyber-attacks-govt
https://www.euractiv.com/section/politics/short_news/more-emails-of-polands-pm-office-head-dworczyk-leaked/

 

FRAUDS

Attack: Cybercriminals target the Indian government in a phishing campaign exploiting COVID-19 vaccination
Method:
Phishing / Smishing
Surface/Application:
E-mail / Text message / WhatsApp
Publication date:
06/11/2021
Description:
Indian government officials including some from the Ministry of Defense and Foreign Affairs are targeted by a cyberattack. The attackers send fraudulent e-mails and text messages asking users to update their immunization status by clicking on a link. The latter leads to an impersonated government Website that prompts users to enter their official e-mail address and password.
Link(s):

https://securereading.com/malicious-web-link-targets-indian-government-officials
https://www.hindustantimes.com/india-news/phishing-attack-targets-officials-through-rogue-mail-from-government-id-101613605003186.html

 

Attack: A phishing campaign targeting US healthcare provider causes data leak  
Method:
Phishing campaign
Surface/Application:
E-mail
Publication date:
06/11/2021
Description:
On May 28, 2021, Five Rivers Health Centers, which is in charge of administering COVID-19 vaccines, was the target of a phishing campaign. After investigation, it was discovered that the sensitive information of 155,748 patients was exposed. Among the leaked data were the patient’s name, medical diagnosis and test results.
Link(s):

https://www.databreaches.net/oh-five-rivers-health-centers-notified-155748-patients-after-phishing-incident/

 

Attack: Cybercriminal sells millions of COVID-19 vaccination data in Italy on the deepWeb
Method:
Currently unknown
Surface/Application:
DeepWeb
Publication date:
06/12/2021
Description:
After exploiting several vulnerabilities, a cybercriminal was able to extract data related to the COVID-19 vaccination of 7.4 million Italians. This information including e-mail addresses, hashed passwords, names, addresses and phone numbers was then sold on a deepWeb forum.
Link(s):

https://twitter.com/darktracer_int/status/1403644215028895745

 

USEFUL RESOURCES

Type of resources: The French Data Protection Authority (CNIL) gives its opinion on the “health pass” implemented as part of the fight against COVID-19
Target:
General public
Publication date:
06/07/2021
Description:
The CNIL has expressed certain reservations about the conditions for implementing a “health pass” to access places hosting more than 1,000 people. The Commission asks the government to specify the list of places requiring a “health pass”, to transmit an impact analysis on data protection and to use a more decentralized architecture to store the collected data.
Link(s):

https://www.cnil.fr/fr/covid-19-la-cnil-rend-son-avis-sur-les-conditions-de-mise-en-oeuvre-du-passe-sanitaire

 

OTHER NEWS

Country: International
Subject:
Dismantling of online pharmacies selling illicit drugs and medical products
Publication date:
06/08/2021
Description:
INTERPOL launched a major operation, named Pangea XIV, which shut down and deleted 113,020 web links, including websites and online marketplaces. The operation also resulted in the seizure of approximately 9 million illicit medical devices and pharmaceuticals, including falsified and unauthorized COVID-19 test kits. These account for more than half of all medical devices seized.
Link(s):

https://www.interpol.int/fr/Actualites-et-evenements/Actualites/2021/Thousands-of-fake-online-pharmacies-shut-down-in-INTERPOL-operation
https://www.bleepingcomputer.com/news/security/interpol-shuts-down-thousands-of-fake-online-pharmacies/

 

Country: European Union (EU)
Subject:
Launch of a technical platform verifying digital COVID-19 certificates on an European scale
Publication date:
06/01/2021
Description:
The platform named “Gateway” and the digital COVID certificate aim to organize inter-EU travel in the context of the current health crisis. The certificate is proof that the holder has been vaccinated against COVID-19, that he has received a negative test result or that he has recovered from an infection. As for the platform, it allows verification of the security features contained in the QR codes of all certificates.
Link(s):
https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2721

 

Country: France
Subject:
The French National Cybersecurity Agency (ANSSI) strengthens the security level of a hundred health institutions
Publication date:
06/10/2021
Description:
The General Director of the ANSSI, Guillaume Poupard, announced that about 135 healthcare establishments, including about 100 hospitals, will be designated as Essential Service Operators (OSE) starting in September 2021. This designation, introduced by the European NIS (Network and Information Security) Directive, implies the application of stricter IT security standards that the ANSSI will be responsible for monitoring. 
Link(s):
https://www.franceinter.fr/economie/lutte-contre-les-cyberattaques-l-anssi-eleve-le-niveau-de-securite-de-140-hopitaux
https://www.franceinter.fr/emissions/l-invite-de-6h20/l-invite-de-6h20-10-juin-2021