img

China is trying cyber-attack by hackers. Over the last two months, since border tensions broke out, Indian agencies have been battling direct and indirect attacks from what seems to be a multinational coalition. Virtually every sector and cyber platform in India has been facing attacks originating from China, North Korea, Pakistan, Beijing, Guangzhou, Shenzhen and Chengdu. Cybersecurity attacks and breaches in the country are likely to have surged over six-fold since the lockdown was imposed on March 25, forcing many people to work from home

Hacking attempts from the three nations are multiplied using bots and proxies, and attackers from of different origins are carrying out different tasks. The attacks aimed at causing issues such as denial of service, hijacking of Internet Protocol and phishing emails originating from spoofed ID - ncov2019@gov.in with subject lines like "Free Covid-19 testing for all residents of Delhi, Mumbai, Hyderabad, Chennai and Ahmedabad". Also large-scale phishing attack campaign against businesses small, medium, and large enterprises, Several government agencies, media houses, pharma companies, telecom operators are targated. The campaign is expected to use malicious emails designed to drive recipients towards fake websites where they are deceived into downloading malicious files or entering personal and financial information.

Coronavirus-themed malware-laden spam emails are used to distribute malware and Trojans, especially the Emotet banking Trojan. Phishing emails are designed as communication from the Centers for Disease Control and Prevention (CDC) to steal email credentials.

Preventive Measures

  • Don't open or click on attachment in unsolicited e-mail, SMS or messages throughSocial Media.
  • Exercise extra caution in opening attachments, even if the sender appears to be known.
  • Beware of e-mail addresses, spelling errors in e-mails, websites and unfamiliar e-mailsenders.iv. Do not submit personal financial details on unfamiliar or unknown websites/links
  • Beware of e-mails, links providing special offers like Covid-19 testing, Aid, Winning prize, Rewards, Cashback offers
  • Check the integrity of URLs before providing login credentials or clicking a link
  • Consider using Safe Browsing tools, filtering tools (antivirus and content-basedfiltering) in your antivirus, firewall, and filtering services. Update spam filters with latest spammail contents
  • Any unusual activity or attack should be reported immediately at incident@cert-in.org.in. with the relevant logs, email headers for the analysis of the attacks and taking further appropriate actions

For Organisations that use Firewalls, AntiVirus Softwares, IPS/IDS and E-Mail Spam Guard, following are the Indicators for Compromise (IOC’s) that can be added in the safety filters for prevention of attack.

IOC for Chinese Cyber Attacks
HASH Values ALGORITHM
db89750a7fab01f50b1eefaf83a00060 MD5
bd665cd2c7468002f863558dbe110467 MD5
d8aa162bc3e178558c8829df189bff88 MD5
9c2ee383d235a702c5ad70b1444efb4d MD5
6208516f759accb98f967ff1369c2f72 MD5
9632bec3bf5caa71d091f08d6701d5d8 MD5
5cd9b0858b48d87b9622da8170ce8e5d MD5

EMAIL ID - ncov2019@gov.in

IP Address - 47.240.73.77 | 114.67.110.37

Domain Names - userimage8.360doc.com | welcome.toutiao.com | image91.360doc.com |

Recommendations
  • Use updated anti-virus and ensure your current vendor has coverage for these hashes.
  • Suggest tocheck the IP category in Firewall for blocking.
  • Suggest to checkthe Domains category in Proxy, if it is not categorized under malicious category,request you to re-categorize into malicious.
  • Recommended to perform china-Geo based blocking if there is no business with china.
  • Monitor the emails that are received from the similar ID’s "ncov2019@gov.in”