Attack Vectors – Time Lines | Coronavirus | COVID | Cybermaps






FEB 29, 2020 – A Chinese Destroyer Fired a Laser at a U.S. Navy Patrol Aircraft

March 25, 2020 – U.S. cybersecurity experts see recent spike in Chinese digital espionage

US launches advanced satellite in 1st Space Force national security mission

APRIL 1, 2020 – China seizes Covid-19 advantage in South China Sea

Apr 3, 2020 – Coronavirus isn’t our only national security threat

03/30/20 – We weren’t ready for a pandemic — imagine a crippling cyberattack


Step one – Reconnaissance

Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it. The initial target can be anyone in an organization. The attackers simply need a single point of entrance to get started. Targeted phishing emails are common in this step, as an effective method of distributing malware.

  • (i) Assess the situation: Initiate the response by assessing the situation in terms of time, place and person distribution of those affected, routes of transmission, its impact on critical infrastructure and health facilities, the agencies and organizations involved in responding to the event, communicate to the public health responders, local, state and national level emergency operation centers for event management etc.

The whole point of this phase is getting to know the target.
The questions that hackers are answering at this stage are:

  1. Who are the important people in the company? This can be answered by looking at the company web site or LinkedIn.
  2. Who do they do business with? For this they may be able to use social engineering, by make a few “sales calls” to the company. The other way is good old-fashioned dumpster diving.
  3. What public data is available about the company? Hackers collect IP address information and run scans to determine what hardware and software they are using. They check the ICAAN web registry database.

NY Interactive  NY Interactive Map

Step two – Weaponization

In this phase, the hacker uses the information that they gathered in the previous phase to create the things they will need to get into the network. This could be creating believable Spear Phishing e-mails. These would look like e-mails that they could potentially receive from a known vendor or other business contact. The next is creating Watering Holes, or fake web pages. These web pages will look identical to a vendor’s web page or even a bank’s web page. But the sole purpose is to capture your user name and password, or to offer you a free download of a document or something else of interest. The final thing the attacker will do in this stage is to collect the tools that they plan to use once they gain access to the network so that they can successfully exploit any vulnerabilities that they find.

Corona Virus – COVID19 Outbreak


Step three – Delivery

Now the attack starts. Phishing e-mails are sent, Watering Hole web pages are posted to the Internet and the attacker waits for all the data they need to start rolling in. If the Phishing e-mail contains a weaponized attachment, then the attacker waits for someone to open the attachment and for the malware to call home.

  • (iv) Implementation of the action plan: The RRTs/QRMTs investigate the outbreak/increase in the disease incidence, collect samples and send it to the identified state/national laboratory for testing. Hospitals are alerted for receiving the patients and their treatment. If necessary tented hospitals are set up. Methods to control the disease and quarantine measures are instituted. Once the disease is identified, treatment protocols are sent to all concerned by the fastest possible means. Standard operating procedures (SOP) for laboratory testing is made by the identified laboratory and the same is sent to all the hospital laboratories and district hospitals for implementation. Laboratory reagents are distributed to the concerned laboratories. Public is taken into confidence to prevent any panic. The list of ‘Do’s and Don’ts’ are circulated thorough the print and electronic media. Hospitals ensure appropriate isolation, quarantine, waste disposal and personal protective measures. All contaminated clothing and equipment are carefully disposed of by incineration. An impact assessment team assesses the impact of the attacks on humans, animals and plants.

In this phase the attacker makes sure that they continue to have access to the network. They will install a persistent backdoor, create Admin accounts on the network, disable firewall rules and perhaps even activate remote desktop access on servers and other systems on the network. The intent at this point is to make sure that the attacker can stay in the system as long as they need to.

Now that they have total control, they can achieve their objectives. This could be stealing information on employees, customers, product designs, etc. or they can start messing with the operations of the company. Remember, not all hackers are after monetizable data, some are out to just mess things up. If you take online orders, they could shut down your order-taking system or delete orders from the system. They could even create orders and have them shipped to your customers. If you have an Industrial Control System and they gain access to it, they could shut down equipment, enter new set points, and disable alarms. Not all hackers want to steal your money, sell your information or post your incriminating e-mails on WikiLeaks, some hackers just want to cause you pain.

The more time hackers spend gaining information about the people and systems at the company, the more successful the hacking attempt will be.

Step three – Exploitation

(a) Preparedness phase: This phase includes actions to be taken by different agencies to ensure required state of preparedness. These include evaluation of the laboratory facilities and upgrading the same, evaluating the hospital preparedness in emergency response and case management in case of an imminent attack, conduct training of health professionals, rapid response team (RRT) and quick response medical team (QRMT) who would be the first responders, work out the legal provision and their implications, ensure that requirement of safe drinking water is met, ensure availability of adequate stocks of medicines and vaccines, coordinate with security organization, organize mock drills for health professionals, government departments, animal husbandry, security, law enforcing and other agencies so as to assess their preparedness levels to act in case of an attack, prepare contact details so that communications is unhampered during an attack. Public should be kept aware about imminent attacks so that voluntary reporting is encouraged. It is important to carry out review of situation based on current information of threat perception.
Now the ‘fun’ begins for the hacker. As user names and passwords arrive, the hacker tries them against web-based e-mail systems or VPN connections to the company network. If malware-laced attachments were sent, then the attacker remotely accesses the infected computers. The attacker explores the network and gains a better idea of the traffic flow on the network, what systems are connected to the network and how they can be exploited.

  • (ii) Contact key health personnel: Contact and coordinate with personnel within the health department that have emergency response roles and responsibilities. Record all contacts and follow-up actions.

(b) Early Warning Phase: The early warning in the surveillance system includes activities like case definitions, notification, compilation and interpretation of epidemiological data. Early detection and rapid investigation by public health epidemiologist is critical in determining the scope and magnitude of the attack and to implement effective interventions.
(c) Notification Phase: It is mandatory to report any unusual syndrome or usual syndromes in unusual numbers to appropriate authorities. The activities in this phase include rapid epidemiological investigations, quick laboratory support for confirmation of diagnosis, quarantine, isolation, keeping health care facilities geared for impending casualty management and evolving public health facilities for control.

My Wordfence Brute Force Log

My Wordfence Brute Force Log

(d) Response Phase: In this phase the activities include rapid epidemiological investigation, quick laboratory support, mass casualty management and initiation of preventive, curative and specific control measures for containing the further spread of the disease. In order to achieve them, following steps can be followed:

  • (iii) Develop action plan: Develop initial health response objectives that are specific, measurable and achievable. Establish an action plan based on the assessment of the situation. Assign responsibilities and record all actions.

Step six – Command and control

Now they have access to the network, administrator accounts, all the needed tools are in place. They now have unfettered access to the entire network. They can look at anything, impersonate any user on the network, and even send e-mails from the CEO to all employees. At this point they are in control. They can lock you out of your entire network if they want to.

Worldwide Threat Assessment of the US intelligence community





Step seven – Action on objective








OAS (On-Access Scan) shows malware detection flow during On-Access Scan, i.e. when objects are accessed during open, copy, run or save operations.
ODS (On Demand Scanner) shows malware detection flow during On-Demand Scan, when the user manually selects the ’Scan for viruses’ option in the context menu.
MAV (Mail Anti-Virus) shows malware detection flow during Mail Anti-Virus scan when new objects appear in an email application (Outlook, The Bat, Thunderbird). The MAV scans incoming messages and calls OAS when saving attachments to a disk.
WAV (Web Anti-Virus) shows malware detection flow during Web Anti-Virus scan when the html page of a website opens or a file is downloads. It checks the ports specified in the Web Anti-Virus settings.
IDS (Intrusion Detection System) shows network attacks detection flow.
VUL (Vulnerability Scan) shows vulnerability detection flow.
KAS (Kaspersky Anti-Spam) shows suspicious and unwanted email traffic discovered by Kaspersky’s Reputation Filtering technology.
BAD (Botnet Activity Detection) shows statistics on identified IP-addresses of DDoS-attacks victims and botnet C&C servers. These statistics were acquired with the help of the DDoS Intelligence system (part of the solution Kaspersky DDoS Protection).


category     / tim-pool /

category     / styxhexenhammer666 /

What is syndromic surveillance?

Henning KJ1.
Innovative electronic surveillance systems are being developed to improve early detection of outbreaks attributable to biologic terrorism or other causes. A review of the rationale, goals, definitions, and realistic expectations for these surveillance systems is a crucial first step toward establishing a framework for further research and development in this area. This commentary provides such a review for current syndromic surveillance systems. Syndromic surveillance has been used for early detection of outbreaks, to follow the size, spread, and tempo of outbreaks, to monitor disease trends, and to provide reassurance that an outbreak has not occurred. Syndromic surveillance systems seek to use existing health data in real time to provide immediate analysis and feedback to those charged with investigation and follow-up of potential outbreaks. Optimal syndrome definitions for continuous monitoring and specific data sources best suited to outbreak surveillance for specific diseases have not been determined. Broadly applicable signal-detection methodologies and response protocols that would maximize detection while preserving scant resources are being sought. Stakeholders need to understand the advantages and limitations of syndromic surveillance systems. Syndromic surveillance systems might enhance collaboration among public health agencies, health-care providers, information-system professionals, academic investigators, and industry. However, syndromic surveillance does not replace traditional public health surveillance, nor does it substitute for direct physician reporting of unusual or suspect cases of public health importance.