Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Thanks to COVID-19, New Types of Documents are Lost in The Wild SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Thanks to COVID-19, New Types of Documents are Lost in The Wild

In many countries, citizens are vaccinated and authorities are now implementing new rules when you need to attend some events or travels. For example, in Brussel (BE), you must prove that you're completely vaccinated by showing your "COVID Safe Ticket" to go to a restaurant or a bar. The document name changes across countries but it's basically the same document for everybody with a QR-code.

Some people are against the vaccin and look for "solutions" to attend events. They try to find or to fake such certificates (which is of course illegal). A few weeks ago, the French president Emmanual Macron had his QR code stolen and re-used by some people[1]. This means that people are looking for QR-code and data! Behind this story, there seems to be a new type of data leak, many people exchange certificates which contain a lot of sensitive information.

For a few days, I run a hunting search on VT to try to find interection documents and I found some nice PDF files:

Be careful when you exchange documents like these on a cloud service or if you exchange them via tools that automatically feed VT! Once uploaded, they should be considered as "lost"!

[1] https://www.rfi.fr/en/france/20210924-health-officials-identify-suspects-behind-macron-s-qr-data-leak-health-pass-digital-security

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Threat Hunting London 2022

Xme

649 Posts
ISC Handler
Oct 20th 2021

Sign Up for Free or Log In to start participating in the conversation!