COVID-19-related exploitation & abuse is increasing as vaccine data opens new frontiers for threat players.
This week, the US Indiana Dept. of Health issued a notice that the state’s COVID-19 contact-tracing system had been exposed via a cloud misconfiguration, revealing names, emails, gender, ethnicity, race & dates of birth of more than 750,000 people.
Adequately Protected
The incident shows that COVID-19 data could be ready for abuse & misuse, according to experts, which is now being collected on millions of people across the globe. The question is whether it’s being adequately protected from threat players. It turns out, there might be some work to be done on the security front.
Meanwhile, COVID-19 vaccine fraud is also on the rise — demonstrating that the pandemic still offers a rich vein for cyber-criminals of all stripes to mine.
When it comes to the contact-tracing incident, “We believe the risk to Hoosiers whose information was accessed is low,” State Health Commissioner Kris Box, M.D., said in a statement.
US Social-Security Information
“We do not collect Social-Security information as a part of our contact tracing program, & no medical information was obtained. We will provide appropriate protections for anyone impacted.”
It seems the Indiana Department of Health was half correct; the threat was low. The company that accessed the information was a cyber-security company named UpGuard, which found a misconfigured API sitting unsecured & visible to anyone on the internet. When UpGuard alerted Indiana officials, they didn’t seem to understand that UpGuard was trying to help, not abuse their data.
Indiana Contact-Tracing Data Unsecured
In response to UpGuards’ security researchers’ report that the data was unsecured, the Indiana Department of Health stated the company gained “unauthorised access” to their contact-tracing database, according to AP’s reporting.
The state also claimed UpGuard “improperly accessed” the data, seeming to miss the point that UpGuard was trying to help them improve their cyber-security posture.
“For one, our company did not `improperly access’ the data. The data was left publicly accessible on the internet,” UpGuard company spokesperson Kelly Rethmeyer explained.
Data Leak
“This is known as a data leak. It was not unauthorised because the data was configured to allow access to anonymous users & we accessed it as an anonymous user.”
The Indiana Office of Technology outlined that after that the software configuration issue was fixed & requested UpGuard return any accessed records, which it did.
Though the issue has been fixed & the API is now secured, the apparent confusion surrounding a disclosure from a cyber-security firm shows that local govts. might not be fully aware of the risks or the tools available to help shore up cyber-security — like being able to work with the research community effectively to mitigate reported vulnerabilities.
Nonetheless, municipalities all over the world are collecting vast amounts of data through COVID-19 contact-tracing programs, like Indiana’s, & vaccine record keeping.
“We’re in a data-breach pandemic,” UpGuard’s Rethmeyer explained.
Counterfeit COVID-19 Cards
Also, Flashpoint has also released a report detailing an increase in cyber-criminals selling counterfeit COVID-19 vaccine certificates & other COVID-19-related public-health documentation in reaction to a rise in American business requiring vaccination proof before congregating in public spaces.
Flashpoint’s report added that these fake credentials are available across several underground closed channels, like underground forums, chat rooms & more.
A cyber-criminal called “Freedom” was observed by Flashpoint advertising false vaccine documentation provided with the assistance of doctors.
Anti-COVID Lockdown
“Flashpoint analysts believe this advertisement was placed in an anti-COVID lockdown channel in order to target customers who are sceptical of vaccines & lockdowns in the US,” the report observed.
Another person called “BigDOCS” was offering letters declaring that someone tested negative for COVID-19, for $40. Another counterfeit certificate seller was offering a fake vaccine card for $100, & for $125 the recipient can receive it overnight.
Telegram
Another fraudster on Telegram claimed they could produce a vaccine card for either a Pfizer or Johnson & Johnson vaccine.
Similar fraudulent documents can be bought for use across the European Union, Flashpoint added. On the underground forum Nulled, researchers found an EU vaccine certificate for sale for $450.
“The threat actor advertising the certificate mentioned that they are also a vaccine sceptic who doesn’t trust the government and doesn’t want to be forced to take the vaccine,” Flashpoint reported.
Vaccine Template
Flashpoint even found a blank CDC COVID-19 vaccine template available for free on 4chan.
“Flashpoint analysts have observed threat actors on the image board 4chan sharing CDC COVID-19 vaccine templates, which can be accessed for free through open-web sources,” the report suggested.
With criminals determined to avoid public health requirements for vaccines, testing & contact tracing, governments are going to have to keep up.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
