One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 362065 |
| Date de publication | 2017-05-04 17:18:00 (vue: 2017-05-04 17:18:00) |
| Titre | OAuth Worm Targeting Google Users - You Need to Watch Cloud Services |
| Texte |
Yesterday, many people received an e-mail from someone they knew and trusted asking them to open a "Google Doc.” The email looked, felt, and smelled like the real thing—an email that Google normally sends whenever a share request is made. However, the email contained a button that mimicked a link to open a document in Google Docs.
When users clicked on the button, they were prompted to give “Google Docs” permission to read / send email, manage their email, and access their contact lists.
In reality, this was a malicious application registered by the attackers. And, in fact, is one of the most well-crafted phishing attempts in the last year.
By clicking on the ALLOW button, users authorized the malicious application to perform actions on their behalf. The users’ browsers were redirected to one of the malicious servers set up by the attackers, for example:
https://googledocs[.]docscloud[.]win/g.php.
The AlienVault Labs Security Research Team detected the activity, and while the attack was still in progress, we created a Pulse in the Open Threat Exchange (OTX) with all the indicators of the infrastructure the attackers used (mainly the domains they used in redirection).
In addition, several OTX users jumped in and shared more malicious infrastructure in a matter of minutes!
This helped get the indicators out immediately to the 30,000+ people that follow the AlienVault OTX account. Kudos to the OTX members who jumped in and delivered this valuable information so quickly to the community!
Sign up to OTX to join the 53,000+ users who already benefit from this free service >
Going back to the attack–when the user was redirected to one of the servers after allowing the malicious application to perform those actions, it was served with the JavaScript code that contained the self-replication / worm functionality.
First, the malicious JavaScript would get access to the contact list (first 1000 entries):
The code parsed the names and email addresses of those contacts and then prioritize addresses from gmail.com, avoiding addresses containing the words “google”, “keeper” and “unty”.
Once the list of potential victims was crafted, the code sent the same email to them as well, thus propagating the attack:
When sending the email, the attackers also decided to BCC the address hhhhhhhhhhhhhhhh[at]mailinator[.]com -, presumably to monitor progress or collect the list of victims.
Impact
Luckily, Google reacted to this quickly, and the malicious applications were shut down in about an hour after the start of the campaign. Cloudflare, which the attackers used in front of the malicious infrastructure, took down that part of the attack infrastructure quickly, too.
It is important to mentio |
| Envoyé | Oui |
| Condensat | related “google “threat 000+ 1000 2014 365 ability about access account accounts actions activities activity actor actors add addition additional address addresses administrative adopt adopted affected after alert alerts alienapp alienapps alienapps™ alienvault all allow allowing allows already also although always any anywhere apache api application applications approach apt28/fancy architecture are ask asking assessment asset attack attack–when attack: attackers attackersmalware attempts authentication author authorized authorizes automation available avoiding aws azure back based bcc bear/sofacy bears become been behalf behavior behind being benefit beyond bill blame blog both box browsers building built business but button buy campaign can capabilities capability case change changes changing circumvent click clicked clicking cloud cloudflare code collaborate collect com combined community complete compliance comprehensive compromise connect connected console constantly contact contacts contained containing context continue convince coordinate corporate correlation cost could crafted created critical cycle dangerous dangers dashboards data day deal decided default defender” delivered described describes designed detect detected detection developing didn’t different directly discern discovery display dnc doc docs docs” docscloud document documents doing domains don’t down drive” each earlier easily effective effectively email enable enables end endless ensuring enterprises entries environments especially essential essentials etc even ever example: exchange exploit exploited extensible fact factor fall familiar fancy features felt finally find first five follow for: forensic forth free from front functionality generate get give glance glass gmail goals going google great groundhog’s group groups hack harmful has have having healthy help helped helps hhhhhhhhhhhhhhhh hiding highly hooked host hour how however https://googledocs hunt identify imagine immediately impact importance important improve incidents included includes including indicators individuals infamous information infrastructure instead intentions interactive interface: intrusion invest issue it’s its itself javascript join joy jumped keep knew know kudos labs labs landscape last latest lead leads learn leveraged leveraging life like link list lists log longer look looked lot luckily made mail mailinator main mainly maintaining make malicious manage management management™ many matter meet members mention mentioned microsoft mimicked minutes monitor monitoring more most multiple murray name names need needed nefarious network new normally not oauth office once one open orchestration organizations other otx out over pace pane parsed part particular party people perform permission permissions phish phishing php pioneered place platform point possible posture potential power prebuilt premises presumably prioritize probably problem problems process process: progress proliferation promise prompted propagating properly protecting provide providers provides pulse quickly reacted read real reality received recently redirected redirection registered released repeatedly replication report reported request requesting research resourced resources respond response review reviewing right risks rule same seamlessly search security see seen self send sending sends sent serve served servers service services set several share shared sharing short shut siem sign similar simply single smelled solution solutions solve solves someone something specific start storiesnew struts such suite sure suspicious systems take takes targeting team teams technique techniques technologies them themselves then these thing—an third those threat threats thus time to: too took tool tools traditional trapped trendmicro trick tricked trusted two under understand unfortunately unified unsustainable use used user users users’ using usm usm™ validate valuable vendors very v |
| Tags | Guideline |
| Stories | Yahoo APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.