COVID-19: CYBERSECURITY WATCH #39 – July 1, 2021

In light of the current health crisis, the CERT of digital.security (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.

 

Focus on Reverse RAT malware

Attack: Cybercriminals take advantage of the vaccination against COVID-19 in India to spread the new malware ReverseRAT
Method: Spear-phishing campaign
Target: Government entities and companies in the energy sector in India
Publication date: 06/22/2021
Link(s):
https://thehackernews.com/2021/06/pakistan-linked-hackers-targeted-indian.html
https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/

Description

Lumens’ laboratory has detected a new malware, called ReverseRAT. It is distributed in attacks targeting very specific actors in the Indian government or personnel attached to companies in the energy sector.

Although the initial means of transmission are not identified, the ReverseRAT malware likely spreads via phishing e-mails or messages. In this campaign, the fraudulent e-mails exploit lures related to indian events, especially pretending to provide a user manual to book a vaccination appointment through the CoWIN government portal.

The attackers’ modus operandi is very similar to another campaign “Operation Sidecopy”, that targets the Indian Army since 2019. Advanced actors who seek discretion above all, regularly modifying their malware to fool antivirus software, carry out this campaign.

Modus operandi

The compromise is done in three parts. The victim downloads a ZIP archive file containing two documents: a decoy PDF file and a shortcut file (.lnk). The latter downloads an HTML application (.HTA file).

This application when run downloads the Github project “CactusTorch”, a program that allows injecting the code of another program into  a running  process. The injected program is called “preBotHta.pdb” and in turn , it downloads ReverseRAT.

ReverseRAT aims to glean any interesting information from its host, before transmitting the encrypted information to its control server. It uses the Windows Management Instrumentation (WMI) features to do so. It can also download files, start processes, take a screenshot, etc.

As a backup plan, another open-source remote control malware “AllaKore” is downloaded using a .HTA file.

The Indicators of Compromise (IOCs) are listed in the Lumen article cited above.

 

THREATS

Attack: Cybercriminals exploit COVID-19 to spread Agent Tesla Remote Access Trojan (RAT)
Method: Phishing campaign
Target: Companies
Publication date: 06/15/2021
Description: A phishing campaign targeting Windows machines is used to deliver Agent Tesla RAT. The attackers are using  technical issues in the appointment scheduling process to get the COVID-19 vaccine to trick victims into opening a malicious attachment. Once downloaded, the malware spreads and the Tesla Agent records keystrokes while retrieving passwords stored in the browser. See our focus on Agent Tesla presented in a previous newsletter.
Link(s):
https://hotforsecurity.bitdefender.com/blog/threat-actors-spread-agent-tesla-disguised-as-covid-19-vaccination-registration-25998.html

 

Attack: Brazilian medical diagnostics company targeted by a cyberattack 
Method: Currently unknown
Target: Grupo Fleury, Brazil
Publication date: 06/23/2021
Description: The medical diagnostics company, Grupo Fleury has suffered a ransomware attack that paralyzed its IT systems. The disruption rendered the scheduling of laboratory tests, including those related to COVID-19 testing, inoperable. Even though the company has not commented on the matter, it appears that the REvil ransomware was responsible for the attack. The latter is known to target the health sector and is responsible for numerous attacks in Brazil, such as the one that affected the meat producer JBS Friboi.
Link(s):
https://www.bleepingcomputer.com/news/security/healthcare-giant-grupo-fleury-hit-by-revil-ransomware-attack/

 

Attack: A US healthcare center targeted by a cyberattack
Method: Currently unknown
Target: Stillwater Medical Center, Oklahoma
Publication date: 06/16/2021
Description: The healthcare center in charge of many hospitals and clinics involved in the management of COVID-19 suffered a ransomware attack. Although the attack paralyzed the IT systems and canceled some appointments, the healthcare provider indicated that patient care continued to be provided.
Link(s):
https://www.scmagazine.com/home/health-care/health-care-ransomware-attacks-oklahoma-health-system-driven-to-ehr-downtime/
 https://www.stillwater-medical.org/node/790

 

Attack: Canadian hospital victim of a ransomware attack
Method: Currently unknown
Target: Humber River Hospital, Toronto
Publication date: 06/15/2021
Description: The hospital charged with providing healthcare to fight COVID-19 was the target of a cyberattack. Even though the hospital responded quickly to limit the impact of the ransomware, the IT system was paralyzed and ambulances were redirected to other healthcare facilities. 
Link(s):
https://www.hrh.ca/2021/06/15/code-grey/
https://www.databreaches.net/ca-humber-river-hospital-hit-by-ransomware-variant-prompt-response-prevented-encryption-and-exfiltration/

 

Attack: Cybercriminals target Portuguese hospital
Method: Currently unknown
Target: Hospital do Divino Espirito Santo, Ponta Delgada
Publication date: 06/28/2021
Description: Hospital do Divino Espirito Santo suffered a malware attack that paralyzed its IT system. The incident has caused delays in sending COVID-19 negative tests to patients. The health infrastructure published a statement about the attack; however, no information about a potential data leak was indicated.
Link(s):
https://www.databreaches.net/portugal-cyberattack-on-hospital-do-divino-espirito-santo-impacting-notification-of-covid-19-test-results/

 

FRAUDS

Attack: An IT solution provider involved in managing Sweden’s health crisis faces data leak
Method: Currently unknown
Surface/Application: Database
Publication date: 06/23/2021
Description: Infosolution, the company in charge of the database storing COVID-19 test results of 15 Swedish regions, has been breached. The intrusion, carried out by an external actor, resulted in the disclosure of the names, social security numbers and addresses of patients who had been tested
Link(s):
https://cybernews.com/news/swedish-covid-19-lab-with-millions-of-test-results-breached/

 

Attack: Cybercriminals arrested after stealing French unemployment benefits
Method: Currently unknown
Surface/Application: Website
Publication date: 06/23/2021
Description: The French National Gendarmerie and the Israeli police arrested 8 people who allegedly obtained 12 million euros by defrauding financial aid issued in case of job loss during the pandemic. The French authorities managed to recover 6.2 million euros from the bank accounts held by the criminal group.
Link(s):
https://www.europol.europa.eu/newsroom/news/six-arrested-for-siphoning-%E2%82%AC12-million-in-fraudulent-covid-19-unemployment-payments-france

 

OTHER NEWS

Country: France
Subject: A programming error in the TousAntiCovid application prevents some users from obtaining the health pass
Publication date: 06/26/2021
Description: The French health pass, stored as a QR code in the TousAntiCovid application, is only issued if you are vaccinated or if you have been tested negative or positive for COVID-19 within the last six months. However, the QR code has only been implemented since April 20, which prevents users who contracted the virus before that date from obtaining the pass. This occurs at the same time as the introduction of the “EU digital certificate”, which allows travel in Europe and is only issued in France if the user already has the health pass.
Link(s):
https://www.ouest-france.fr/sante/virus/coronavirus/covid-19-2-millions-de-francais-prives-de-leur-pass-sanitaire-a-cause-d-une-faille-b6be560a-d693-11eb-b1dc-a73451ceafbf
https://www.service-public.fr/particuliers/actualites/A15003

 

Country: United States
Subject: A misconfiguration in a vendor’s cloud-based storage exposes a large volume of health records
Publication date: 06/17/2021
Description: WebsitePlanet researchers have discovered a huge, unprotected password database belonging to the American healthcare chain CVS Health. The breach, due to a human error in the configuration of a storage platform of a CVS Health supplier, exposed more than a billion of patient’s health data. Among the information leaked were e-mail addresses and the COVID-19 medications and vaccines purchased by customers. 
Link(s):
https://www.websiteplanet.com/blog/cvs-health-leak-report/
https://threatpost.com/cvs-health-records-billion-customers-exposed/167011/

 

Country: Netherlands
Subject: A programming error in the application issuing COVID-19 vaccination certificates
Publication date: 06/28/2021
Description: The national contact-tracing application, CoronaCheck, which certifies the vaccination against COVID-19, wrongly gave QR codes allowing thousands of users to benefit from the advantages promoted by this certification (indoor events and party venues), without being vaccinated. The application had already been criticized the week before for not generating the certificate for those who were vaccinated.
Link(s):
https://nltimes.nl/2021/06/28/govt-app-wrongly-gave-covid-vaccination-certificates-thousands
https://nltimes.nl/2021/06/25/coronacheck-app-yet-giving-vaccination-certificates-many