Every noteworthy world event is seen by cyber threat actors as an opportunity, and the Coronavirus (COVID-19) has proven to be no different. In response to the growing volume of COVID-19-themed cyber attacks we are seeing, Anomali has been working to collect, curate, and distribute the clear and concise open-source intelligence needed to help organizations defend against these campaigns. Anomali has just released two key resources – the COVID-19 Campaign Threat Model and a COVID-19 Threat Bulletin – to provide actionable intelligence that can be used to combat these cyber attack campaigns. These resources are continually updated with the latest COVID-19-related information, so subscribers will be receiving a steady stream of new, actionable intelligence:
Anomali COVID-19 Campaign Threat Model - Anomali has identified 15 distinct campaigns associated with 11 threat actors or groups distributing 39 different malware families using 80 various MITRE ATT&CK techniques to date, and this number will continue to grow.
Anomali COVID-19 Threat Bulletin - This Threat Bulletin provides both a narrative summarizing all COVID-19 related attacks Anomali has been tracking, and over 6,000 unique indicators of compromise (IOCs) that can be acted upon immediately.
What Can You Do with This Threat Intelligence?...and How to Do It
Our intent in aggregating and curating this threat intelligence is to provide organizations with high fidelity indicators of compromise (IOCs) that can immediately be pushed into their security stacks for rapid, proactive blocking and alerting. Security products that can take advantage of this actionable threat intelligence include SIEMs, endpoint detection and response platforms, firewalls, DNS servers, SOAR platforms, and other operational security products.
The Anomali COVID-19 Campaign Threat Model and COVID-19 Threat Bulletin are designed to be used in conjunction with Anomali ThreatStream, a threat intelligence platform that allows organizations to aggregate, curate, analyze and distribute multiple sources of threat intelligence to their operational security systems. Inside of the Threat Bulletin, all of these COVID-19-related IOCs have been tagged with “COVID-19” and “Coronavirus.” This enables ThreatStream users to create a simple rule to automatically push these IOCs to their security systems, enabling real-time defense against these attacks. For example, when an end-user clicks on a link within a COVID-19-theme phishing email, Anomali customers that have activated this research will automatically block the phishing URL, avoiding risk of compromise.
How Can You Get This Intelligence?
The Anomali COVID-19 Campaign Threat Model and COVID-19 Threat Bulletin are automatically available for use by organizations with access to Anomali ThreatStream – including all of Anomali’s enterprise clients and over 2000 organizations participating in threat intelligence sharing communities powered by Anomali. For organizations that don’t currently have Anomali ThreatStream accounts, we have made static versions of this threat intelligence available at www.anomali.com/covid19. While these downloads won’t be dynamically updated, they do provide valuable, actionable intelligence that can be leveraged to improve your defenses. We also have a graphic that provides a chronology of COVID-19-related cyber activity.
At Anomali, our goal is to help organizations be more secure by leveraging threat intelligence, and this is more important than ever in these most trying of times. Only through massive intelligence collection and sharing can we stay ahead of real-world and cyber threats. So, let’s get to work!