One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2286826 |
| Date de publication | 2021-02-02 23:04:00 (vue: 2021-02-03 01:05:27) |
| Titre | Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs |
| Texte | Key Findings
Malicious actors have targeted the vaccine supply chain and leaked materials stolen from the European Medicines Agency (EMA).
Phishing campaigns have evolved alongside the pandemic, with the latest observed themes being vaccine-related topics.
Users should remain cautious of possible phishing attacks via email, text messages (SMS), or just click through search results.
Overview
Threat actors change and adapt their campaigns to mirror themes prevalent in the public eye. When they leverage high-urgency trends, their success levels rise. Since the beginning of the pandemic, Anomali has focused resources to detect malicious cyber campaigns using COVID-19 themes. In this blog, Anomali Threat Research presents several malicious samples that represent simple tactics, techniques, and procedures (TTPs) used by actors in COVID-themed malspam campaigns. Less-sophisticated threat actors can be easier to monitor and block if the TTPs utilized by the actors are well known.
New Discoveries
The majority of this research centers on analysis of known threat actors and indicators of compromise (IOCs). There are several samples that we believe are newly discovered by our researchers (we haven’t seen them discussed elsewhere). Among these are several malicious PDFs hosted on Amazon Web Services (AWS) and other hosting websites. We discuss this campaign below in the chapter named “2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)”, detailing samples with titles “Adenovirus vector pdf” and “Illinois coronavirus october 15”.
Details
1. Targeted Supply Chain Attacks
On December 28, 2020, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) published a notice entitled, “COVID-19 Vaccine-Related Scams and Cyberattacks.” That report provided evidence of actors conducting scams asking for a fee to provide potential victims with the vaccine sooner than permitted. Furthermore, FinCEN assessed that cybercriminals will likely continue to exploit the COVID-19 pandemic to target financial institutions, vaccine delivery operations, and vaccine manufacture supply chains. FinCEN is aware of ransomware directly targeting vaccine research and has pushed for awareness of these phishing schemes luring victims with fraudulent information about COVID-19 vaccines.[1]
Other threats to vaccine research have been reported by US and European intelligence agencies. In December 2020, threat actors breached the European Medicines Agency (EMA) whilst it was in the COVID-19 vaccine evaluation process. On January 12, 2021, threat actors leaked a portion of the stolen materials with regards to Pfizer/BioNTech vaccine (Figure 1).[2] On the same day in an unrelated event, the Director of the National Counterintelligence and Security Center (NCSC), William Evanina, confirmed the existence of threats from China and Russia to disrupt the US coronavirus vaccine supply chain.[3]
Figure 1 – Screenshot of the Files in the EMA Vaccine Breach
The publication of the EMA vaccine breach on RaidForums was taken down by forum administrators only to resurface on other platforms. Later, the EMA claimed that at least some of the leaked correspondence had “been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”[4]
2. Non-targeted Adoption by Phishing Campaigns
Below are three examples of COVID-19 vaccine-related phishing campaigns utilizing different delivery methods: email, SMS, and search engine traffic. As COVID-19 vaccination is a newsworthy topic, it would be consistent with observed activity for so |
| Envoyé | Oui |
| Condensat | “/covid “2 “adenovirus “anomali “attackers “been “clinical “covid “cyberattack “dear “dhl “illinois “smtp “subject: “u adding /subject 070af4c8b6dec6ec5253c217169b7fd7 15” 2015 2020 2021 20508 20coronavirus 20notice 20october 20vaccine 24fc39e0403e0909a8135e5c3e10f85f 55482110d6874042319c01c03f872d1b 564c70749f6541e770e8e1697bae7974 603cecc32e58d46fb8dbe2d834ba1f25 72dc2b505d79acc243474d455388d306 86d64653b44668230032ce393f2a05a4 88a23a328868b1515fbc9ad27d7bd674 9e719a17220c4d93818c356acf9aac13 about abused accessed activity actors ad5 adapt add adding addition address address addressed adenovirus administrators adoption agencies agency alongside also alternative amazon amazonaws among analysis analyzed anomali another appeared appearing appears application apps are area asked asking assessed associated attack attacks attempts auto automate automated aware awareness aws banking based basic bec been before began beginning behind being believe below biologics block blog blurb breach breached but campaign campaigns can cansino capitalize captcha card care caution cautious cc/aws cctraff cecb7a2829c0ab8abf25753058c25a99 center centers chain chains chances change channel: chapter chief china claimed click clickable clicked clinical cloud com com” com/285306074936244/posts/please com/article/health com/blog/anomali com/blog/covid com/covid com/dashboard com/uploads/1/3/4/5/134578036/jetatugatuxifu com/us/blog/threat com/zonivezada/adenovirus common commonly company compromise conditional conducting confirm confirmed considered consistent contact contains contextual continue coronavirus corporate correspondence could counter counterintelligence covid creation credit: crimes custom cyber cyberattacks cybercriminals d07d3c112e861fa8b7709537431d6191 dashboard dashboard/ dashboard: data day de56cbee83eafb1ee4f6ff1fa38c696e debit/credit december defending delivery delivery/” delivery/dh department's detailing details detect detected devices dhl different directly director discovered discoveries discuss discussed displayed disrupt distribute distribution document documents domain domains down download easier elsewhere ema email emails end endnotes enforcement engine english ensure entitled eu/en/news/cyberattack europa european evaluation evanina even event evidence evolved example examples exe executable existence existing exploit express” extra eye facebook fake fee figure file file’s files fills fin financial fincen findings flag focused form formal forum found fpcoh@tomlinfuneralsupply fraudulent from furthermore generic gettraf gov/sites/default/files/shared/covid group had has hash hashes have haven’t header health high host hosted hosting https://ui https://www hxxp://putrajayagemilang hxxps://robotcheckion hxxps://s3 hxxps://situnege hxxps://traffnew hxxps://ttraff identifies identifying idusl1n2jn2fw image include included included: including increase increases indicates indicator indicators individuals infection information initial insight/attackers inspect instance institutions intelligence internet involved iocs it/2168529156613917/ its january jonathan june just key keyword=adenovirus+vector+pdf keyword=illinois keywords kingdom known landay language large last later latest leading leaked least legitimate less levels leverage like likelihood likely limited link linked links listed lo=dmvydhjpzwjaagvpbi5ldq low lures luring madam majority malicious malspam malware manipulated manner manufacture matches materials md5 medicines message messages metadata: methods methods: middle mirror monitor monitors more most multiple name named national ncsc network new newly news newsworthy nhs non not notice notices ntc4 number observed october off offered office officials offline often one online online/ only opened opening operations optimization organization other overly overview p=mjtdkyjxmu5gi3bpgi4dqnru&sub1=aws&sub3=14vnqgojhe60&sub4=adenovirus+vector+pdf page page’s page |
| Tags | Ransomware Spam Malware Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.