Exploitation and abuse related to COVID-19 are increasing as vaccine data opens new frontiers for threat actors.
This week, the Indiana Department of Health issued an advisory that the state’s COVID-19 contact tracing system had been exposed through misconfiguration in the cloud, revealing names, emails, gender, ethnicity, race and birth dates of more than 750,000 people.
The incident shows that COVID-19 data could be primed for abuse and misuse, according to experts, now being collected on millions of people around the world. The question is whether you are adequately protecting yourself from threat actors. And it turns out there might be some work to be done on the security front.
Meanwhile, COVID-19 vaccine fraud is also on the rise, showing that the pandemic still offers a rich vein for cybercriminals of all stripes.
When it comes to the contact tracing incident, “We believe the risk to Hoosiers residents whose information was accessed is low,” State Health Commissioner Kris Box, MD, said in a statement. “We did not collect Social Security information as part of our contact tracing program and we did not obtain medical information. We will provide adequate protections for anyone affected. “
Turns out the Indiana Department of Health was half right; the threat was low. The company that accessed the information was a cybersecurity company called UpGuard, which found an API that was misconfigured, insecure, and visible to anyone on the Internet. When UpGuard alerted Indiana officials, they did not seem to understand that UpGuard was trying to help, not abuse their data.
Unprotected Indiana Contact Tracking Data
In response to a report by UpGuards security researchers that data was not protected, the Indiana Department of Health said the company gained “unauthorized access” to its contact tracing database, according to the AP report. . The state also claimed that UpGuard “improperly accessed” the data, apparently without understanding that UpGuard was trying to help them improve their cybersecurity posture.
“For one thing, our company did not ‘improperly access’ the data. The data was made accessible to the public on the Internet, ”said Kelly Rethmeyer, a spokesperson for the UpGuard company. “This is known as a data leak. It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user. “
The Indiana Office of Technology later said that the software configuration problem was fixed and asked UpGuard to return the accessed records, which it did.
Although the issue has been fixed and the API is now secured, the apparent confusion surrounding a disclosure from a cybersecurity company shows that local governments may not be fully aware of the risks or tools available to help shore up cybersecurity, how to work. with the research community effectively to mitigate reported vulnerabilities.
Nonetheless, municipalities around the world are collecting vast amounts of data through COVID-19 contact tracing programs, like the one in Indiana, and vaccine record keeping.
“We are in a data breach pandemic,” UpGuard’s Rethmeyer told Threatpost.
Counterfeit COVID-19 cards
Meanwhile, Flashpoint has also released a report detailing an increase in cybercriminals selling counterfeit COVID-19 vaccine certificates and other public health documentation related to COVID-19 in reaction to an increase in US businesses requiring proof of vaccination. before congregating in public spaces.
The Flashpoint report added that these fake credentials are available on various underground closed channels such as underground forums, chat rooms, and more.
Flashpoint observed a cybercriminal named “Freedom” posting bogus vaccine documentation provided with the help of doctors.
“Flashpoint analysts believe this ad was placed on an anti-COVID blackout channel to target customers who are skeptical about vaccines and blockages in the US,” the report says.
Another person named “BigDOCS” was offering letters stating that someone tested negative for COVID-19, for $ 40. Another counterfeit certificate vendor was offering a fake vaccine card for $ 100, and for $ 125 the recipient can receive it overnight.
Another scammer on Telegram claimed that he could produce a vaccine card for a Pfizer or Johnson & Johnson vaccine.
Similar fraudulent documents can be purchased for use throughout the European Union, Flashpoint added. On the underground Nulled forum, investigators found an EU vaccine certificate for sale for $ 450.
“The threat actor announcing the certificate mentioned that he too is a vaccine skeptic who does not trust the government and does not want to be forced to get vaccinated,” Flashpoint reported.
Flashpoint even found a blank CDC COVID-19 vaccine template available for free on 4chan.
“Flashpoint analysts have observed threat actors on the 4chan image board sharing CDC COVID-19 vaccine templates, which can be accessed for free through open web sources,” the report says.
With criminals determined to circumvent public health requirements for vaccines, testing, and contact tracing, governments will have to keep up.
Author: Becky Bracken