Cybersecurity news headlines for March 1-31, 2020

March’s edition of cybersecurity news headlines is mostly news related to cyber crime during the coronavirus pandemic. Malicious actors have began to actively create coronavirus-themed spam campaigns which both phish for personal information and spread malware. Furthermore, some ransomware gangs continue to attack health care facilities while they are dealing with the COVID-19 pandemic.

In no particular order, here’s what made the headlines in March, 2020.

Malicious actors continue to use coronavirus panic to distribute malware and phish personal information

In last month’s edition of cybersecurity news, as well as in a separate article, we reported on cyber criminals taking advantage of the ongoing coronavirus pandemic to perform malicious activity. The pandemic is proving to be highly beneficial for malicious actors because people are actively looking for information about coronavirus and it’s easy to slip in scams and malware, as well as phish personal information.

Coronavirus-themed emails seem to be popular among scammers and malware distributors. One email in particular seems to be making its rounds and threatens to infect users with the coronavirus if they do not agree to pay $4000. The email falls into the same category as those sextortion emails that threaten to expose videos of users watching pornography. The coronavirus extortion email follows a similar pattern, it reveals the user’s password to catch their attention, claims to have stolen information about them and then threatens to “ruin their life” by exposing their personal info unless the user agrees to pay money, $4000 to be more specific. A unique characteristic of these coronavirus-themed emails is that they also threaten to infect the user, and their whole family, with the coronavirus.

“No matter how smart you are, believe me, if I want to affect, I can,” the email says when talking about the virus. The threat to infect with a real-life virus is precisely what gives the scam away, if it was not clear before. Thus, it’s doubtful that scammers will receive any kind of payment.

Another interesting and rather clever coronavirus-themed email claims the receiver may have been exposed to the virus and needs to get tested. Reported by Bleeping Computer, the email primarily targets Canadian users as it mentions a specific city and a hospital in Canada. The email is supposedly sent by a hospital and it wants to inform the recipient that they have been in contact with someone who was confirmed to have been infected with COVID-19. The recipient is asked to download the attached file which supposedly contains prefilled information, and go to an emergency clinic to get tested. If users open the attached file EmergencyContact.xlsm, they are instructed to press Enable Content in order to open the file properly. The moment the user presses Enable Content, malware will be downloaded and executed on the computer. The malware seems to target cryptocurrency wallets in particular. It can also be difficult to detect the malware because it tries to conceal itself.

Coronavirus-themed emails are likely to be pretty common until the coronavirus subsides and people are no longer in quarantine and constantly searching for more information about the virus. Until then, you should be skeptical of all emails that mention the coronavirus.

Czech hospital suffers a cyber attack during the COVID-19 outbreak; some ransomware continue to target hospitals

Cyber criminals attacking hospitals on a regular day is bad enough, but performing an attack during a virus outbreak is a whole new level of low. The Brno University Hospital in Czech Republic reportedly suffered a cyber attack on March 13th, and the hospital was forced to shut down the entire IT network.
Not much information is known about the attack or what caused it exactly but the consequences may have been serious. According certain reports, personnel were told to turn off their computers and the hospital was forced to cancel surgeries.

Like many countries, Czech Republic is dealing with the ongoing coronavirus pandemic, and a cyber attack on a hospital could have disastrous consequences. It is not known, however, whether the attack affected the hospital’s ability to perform tests and deal with patients infected by the coronavirus.

Some ransomware families have announced that they will stop targeting hospitals and health care facilities for the time being because of the coronavirus. However, certain cyber gangs continue their malicious activity. One of the most known ransomware gangs Ryuk are still infecting health care facilities. A cybersecurity researcher PeterM recently confirmed that the ransomware has recently targeted a health care provider.

“Looks like a typical Ryuk attack at the moment, they deployed the ransomware with PsExec,” PeterM said in a tweet.

Bleeping Computer has reported that Ryuk ransomware has targeted 10 health care organizations in the past month, and are showing no indication of stopping.

“Not only has their healthcare targeting not stopped but we have also seen a continuous trend of exploiting healthcare organizations in the middle of the global pandemic. While some extortionist groups at least acknowledged or engaged in the discourse of stopping healthcare extortionists, the Ryuk operators remained silent pursuing healthcare targeting even in light of our call to stop,” Vitali Kremez, Head of SentinelOne’s research division, told Bleeping Computer.

Data of 538 million Weibo users for sale on the dark web

It has been reported by news website ZDNet that the Chinese social network Weibo has suffered a breach that exposed personal information of 538 million users. The database containing the personal information was put up for sale on the dark web for a price of ¥1,799 ($250). According to reports, the database contains information like names, Weibo IDs, gender, location, and even phone numbers for 172 million users. Passwords do not seem to be included in the database, as Weibo has said they do not store passwords in plaintext.

According to an ad for the database seen by ZDNet on the dark web, the hacker was able to breach Weibo sometime mid-2019, but not much information is known. Weibo has acknowledged the incident but appears to have downplayed the severity of it, saying that the phone numbers were collected at the end of 2018 when a number of user accounts started uploading large amounts of contacts to match accounts with their respective phone numbers. However, this does not explain how the hacker managed to obtain other information like gender and location, which is not public.

­Law enforcement has been notified of the incident and an investigation is ongoing. It is likely that the hacker will be identified as China has a good tracking record when it comes catching cyber criminals.