One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2103277 |
| Date de publication | 2020-10-15 14:00:00 (vue: 2020-12-15 21:05:33) |
| Titre | COVID-19 Attacks – Defending Your Organization |
| Texte | Overview The Coronavirus 2019 (COVID-19) global pandemic has caused widespread fear of the unknown and deadly aspects of this novel virus, generated growth in certain industries to combat it, and created a shift toward remote work environments to slow the spread of the disease. Defending Your Organization Against COVID-19 Cyber Attacks. In this webinar, AJ, and I describe COVID-19 attacks in January through March, the groups behind them, and key MITRE ATT&CK techniques being employed. We then discuss ways an organization can keep themselves safe from these types of attacks. Pandemic Background COVID-19 is a pandemic viral respiratory disease, originally identified in Wuhan, China in December 2019. At the time of the webinar, it had infected around 1.5 million people worldwide. Within the first month, cyber actors capitalized on the opportunity. COVID Attack Timeline December 2019 - January 2020 At the end of December 2019, China alerted the World Health Organization (WHO) that there was an outbreak in Wuhan, China. Within a month, the first cyber events were being recorded. Around January 31, 2020, malicious emails (T1566.001) using the Emotet malware (S0367) and a phishing campaign (T1566.001) using LokiBot (S0447) were tied to TA542 alias Mummy Spider. Emotet, in particular, was prolific. It originally started as a banking Trojan, then evolved into a delivery mechanism for an initial payload that infected systems to download additional malware families such as TrickBot (S0266). Around this same time, there was a marked increase in the registration of domain names with COVID-19 naming conventions, a key indicator of an uptick in phishing campaigns. February 2020 In early February, the progression of adversaries using uncertainty about and thirst for information regarding the COVID-19 pandemic became apparent. New malware variants and malware families were reported employing coronavirus related content, including NanoCore RAT (S0336) and Parallax RAT, a newer remote-access Trojan, to infect unsuspecting users. Throughout February, cybercrime actors launched several phishing campaigns (T1566.001) to deliver information stealer AZORult (S0344). With worldwide government health agencies giving advice on cyber and physical health, threat actors aligned with nation-states such as Russia (Hades APT), China (Mustang Panda), and North Korea (Kimsuky - G0094) used this messaging to lure individuals to download and/or execute malicious files disguised as legitimate documents. These state-sponsored groups used convincing lures to impersonate organizations such as the United Nations (UN), the World Health Organization (WHO), and various public health government agencies to achieve short- and long-term national objectives. March 2020 In March, we observed a flurry of nation-state and cybercrime attributed malicious activity seeking to exploit the COVID-19 pandemic. Cybercrime actors distributed a range of malware families, including NanoCore (S0336), |
| Envoyé | Oui |
| Condensat | 001 002 2019 2020 >1024 about abusing access achieve activity actors additional additionally advanced advantage adversaries advice affiliated against agencies agenttesla alerted alias aligned all allows also and/or anomali any apparent applications appropriate apt apt36 are around aspects assess assets att&ck attachment attack attacks attacks: attempting attributed australian authentication availability avoiding azorult background banking based became because becomes behind being below between bits both business but call campaign campaigns can capitalized care cases caused certain china combat commercial common commonly company compromised concern connected consumables content continuation continue continues controls conventions convince convincing coronavirus corporate could counter covid created creating crimson cyber cybercrime data deadly december decoy defending defense defenses defined deliver delivered delivery describe detection development disabling discern discovery discovery: discuss disease disguised disruptions distinguish distributed dkim dmarc dns document documents domain download downloaded drop dropped during early educate email emails embedded emotet employed employing enabled enables end enforcing engage engineering english enterprise entice entities environment environments especially essential europe evade evasion events evolved evolves execute executed expect exploit exploited facilities factor families faux fear february file files final financial financially first flurry foothold footprint from fully g0092 g0094 general generally generated get2 giving global government graceful greater groups growth guidance had hades happened harder has hawkeye health healthcare help hiding higaisia high home hospitals host how hyperlink identification identified identify identifying impersonate impersonating implant incidents including increase increased india indicates indicator indiscriminate individuals industries infect infected information initial intelligence internal internet interruptions investigate investments involves isolate january justification keep key kimsuky knowledge korea kpot larger latest launch launched legitimate leveraging life likelihood likely limited line lnk loader lokibot long loss lure lures malicious malware march marked meanwhile measures mechanism medical messaging methods mfa microsoft million mitre mobile mongolian monitor monitoring month more most motivated move much multi mummy mustang names naming nanocore nation national nations netwalker network new newer next north not notable notably novel now obfuscating objectives observed obtaining offering offers one open operations operators opportunity organization organizations originally other out outbreak overall overview overwhelmed p=quarantine pair pakistan panda pandemic parallax particular patch patient payload pdf people period persistent phishing phishing: physical place plugx policies policy possible potentially previously process processes progression prolific protecting protection protocols public publish put quarter quickly range ransomware rat received recipients recommendations recorded records redline reduces regarding registration related relief remainder remote remotely reported reportedly reporting respiratory response result risk rogue rsa rtf russia s0013 s0115 s0266 s0331 s0336 s0344 s0367 s0386 s0447 s0457 s0460 safe safety same scripts sector securing security seeking segregation seize sent serve several shift short shortcut significant slow smishing sms social software sought source sources spam speaking spear spearphishing specific spf spider sponsored spotting spread stage started state states stealer strict strong submission such suspicious systems t1190 t1518 t1566 ta0001 ta0005 ta0007 ta505 ta542 ta564 tactic tactics tagging taiwan take target targeted targeting targets technique techniques term text them thematic themed themes themselves then these thirst those threat threats through throughout tied time timeframe timeline toward tracking training transportation trickbot trojan trusted ttps two |
| Tags | Ransomware Spam Malware Threat |
| Stories | APT 36 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.