[Security Weekly] Coronavirus Testing Centers, Hospitals, and Health Agencies Hit by Cyberattacks During COVID-19 Pandemic

3rd Week of March 2020


1. Czech Republic’s second-largest hospital suffers from cyberattack during coronavirus outbreak


Brno University Hospital, the second-largest hospital of Czech Republic and one of the biggest testing centers for COVID-19, was hit with a cyberattack on March 13 that forced a complete shutdown of its IT system, severely hindering its operations.

Starting at 5 am in the morning, the hospital sent repeated announcements throughout every building, requesting all computers to be turned off immediately. Since 8 am, all surgeries had been canceled, and all new patients had to be redirected to nearby hospitals. Two other affiliated hospitals – Children’s Hospital and Maternity Hospital, were also affected.

The country’s National Cyber and Information Security Agency (NCISA) confirmed the incident and is working with the police and the hospital’s IT team to recover operations.

As a crucial testing center for COVID-19, it is unclear whether testing capabilities were affected during the attack. The central European country is now facing an outbreak of over 765 cases.  

This is not the only healthcare cyberattack during this coronavirus outbreak. Earlier this month, Illinois-based Champaign-Urbana Public Health District was also hit with the NetWalker ransomware, forcing its websites to shut down and obstructing its capabilities to inform the public on the virus.

Experts are warning that cybercriminals will continue to take the coronavirus outbreak as an opportunity to launch all kinds of attacks. Overwhelmed hospitals with overworked staff are especially vulnerable.

Sources: ZDNet, Prague Morning, SC Magazine


2. US Department of Health and Human Services hit by cyberattack


John Ullyot, a spokesperson from the United States National Security Council (NSC), announced on Monday that the US Department of Health and Human Services (HSS) was hit with a cyberattack amid the COVID-19 pandemic.

The attack was first detected last Sunday, where a significant increase in activity was found on the HHS network. Within only a few hours, the servers were flooded with millions of hits. Even though the details of the attack were not officially revealed, this clearly seemed like a DDoS attack aimed at slowing and paralyzing regular service.

Fortunately, the attack failed to slow down the system significantly. An HHS spokesperson revealed that the agency had increased its cybersecurity measures as it was preparing for the COVID-19 pandemic.

All HHS services are fully operational as of Monday. Both the NSC and HHS are investigating the incident thoroughly. The attack seemed to be part of a greater campaign aimed at disrupting the response to the COVID-19 pandemic, where foreign actors are likely involved. On the same day as the attack, rumors about a national lockdown were also spreading across the country. However, it is not clear yet whether these two cases are related.

Criminals are taking two paths to undermine our fight against the virus – by either disrupting healthcare services or spreading misinformation. Healthcare systems around the world are already overwhelmed by the exponential surge of patients, further disruptions will certainly result in more casualties. This warns us again that we are now in an age where cyberattacks can, and will be increasingly capable of, causing physical damage.

Sources: Bloomberg, Reuters


3. Blender manufacturer NutriBullet attacked by Magecart skimmers


NutriBullet, a US-based blender manufacturer well known for its single-serve personal blenders, has suffered continuous and consistent attacks by Magecart1, where many of its customers’ payment card information could have been compromised.

Attackers implanted skimmer codes on NutriBullet’s online shopping domain. Whenever customers input their credit card information to make a purchase, the skimmer codes would make a copy of this information and transfer them to a command-and-control (C2) server controlled by the attackers. It is not clear yet whether the attackers sold the stolen information, or used it to make fraudulent purchases.

The situation was first publicized on Wednesday by cybersecurity researchers at RiskIQ. RiskIQ revealed that skimmer codes were first detected on the NutriBullet’s domain on February 20. The researchers removed them on March 1, only to see them installed again on March 6. On March 10, a modified version of skimmer codes were again detected on the website. NutriBullet’s security team is working with RiskIQ to take down the C2 server that is facilitating the transfer of data.

As of now, RiskIQ is warning all customers to stop making purchases from the website and to look for other channels to shop.

1 Magecart is a general term describing attacks that plant skimmers on web applications to steal financial information.

Sources: ZDNet, TechCrunch


4. Over 425 GB of sensitive financial information leaked from open cloud database


Earlier on Tuesday, security researchers at vpnMentor disclosed a data breach that leaked 425 GB of highly sensitive information from an unsecured Amazon Web Service S3 database.

The database was said to be related to a mobile app called MCA Wizard, developed jointly by two financial firms – Advantage Capital Funding and Argus Capital Funding. Both companies provide funding solutions to businesses in need of cash. The app provides merchant cash advances (MCAs), which allow businesses to sell their expected future sales in exchange for immediate cash. The app is currently taken off by both Google Play and App Store.

The database was not secured with any form of encryption or authentication methods, which is a complete violation of data protection regulations (e.g. CCPA, GDPR). The leaked database contained more than 500,000 sensitive legal and financial files, ranging from contracts, legal documents, purchase orders and receipts, copies of ID cards, social security numbers, and tax returns. These data were mostly related to the customers, clients, contractors, and partners of Advantage and Argus. Such sensitive information is more than enough to not only destroy one’s business, but completely ruin their life.

The open database was first discovered in December 2019. Security researchers tried to contact the two firms responsible for it, but were unable to reach them. They eventually had to ask Amazon Web Services to directly close down the database.

Source: SiliconAngle


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt