One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 3791016 |
| Date de publication | 2021-12-07 15:08:56 (vue: 2021-12-13 21:05:26) |
| Titre | NICKEL - Targeting Organizations Across Europe, North America, and South America |
| Texte | FortiGuard Labs is aware of reports relating to NICKEL, a state sponsored group targeting varying interests in Europe, North and South America. NICKEL is a state sponsored group operating out of China and is targeting governmental organizations, diplomatic groups and non governmental organizations in 29 countries.NICKELs' modus operandi is the usage of exploits on unpached systems to compromise vulnerable systems and their unpatched services. Observed exploits used by NICKEL included the exploitation of services such as Microsoft Exchange, Microsoft SharePoint, and Pulse Secure VPN. Microsoft filed pleadings with the United States District Court of Eastern Virginia on December 2nd to seize control of servers used by NICKEL.What are the Technical Details?NICKEL malware variants use Internet Explorer COM interfaces to receive instructions from predefined command and control (C2) servers. The malware will then connect to the web-based C2 servers to check for a specific string located on these servers. Once confirmed, the malware will decode a Base64 encoded blob that will load shellcode for further exploitation.NICKEL malware is capable of capturing system information such as the IP address, OS version, system language, computer name and username of the current signed in user. It also contains backdoor functionality to execute commands and to upload and download files. NICKEL then uses the stolen and compromised credentials of the targeted victim to login to Microsoft 365 accounts via browser logins to exfiltrate victim emails for further damage.What Other Names is NICKEL Known As?According to Microsoft - NICKEL is also known as APT15, APT25, and Ke3Chang.Is this Limited to Targeted Attacks?Yes. Attacks are limited to varying targets in specific countries and verticals.What Countries were Targeted?They are:Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom, United States of America, and Venezuela.What is the Status of Protections?FortiGuard Labs provides the following AV coverage used in this campaign as:W32/Staser.COFE!trW32/Staser.CBQX!trW32/NetE.VH!trW32/BackDoor.U!trAll network IOC's are blocked by the FortiGuard WebFiltering client.Any Other Suggested Mitigation?Because it has been reported that NICKEL obtains access via unpatched and vulnerable systems, It is important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spear phishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network. |
| Envoyé | Oui |
| Condensat | 2nd 365 about access accomplished according accounts across address addressed all also always america any apt15 apt25 are are:argentina as:w32/staser assessment attachments attackers attacks aware awareness backdoor barbados base64 based because been being blob blocked bosnia brazil browser bulgaria campaign can capable capturing caution cbqx check chile china client cofe colombia com command commands compromise compromised computer conduct conducted confirmed connect contains control could countries court coverage credentials croatia crucial current czech damage december decode delivered department details determine determined difficulty diplomatic distribution district dominican don download eastern ecuador educate emails employees encoded encourage encouraged end engineering ensure europe exchange execute exfiltrate exploitation exploits explorer feasible filed files following foothold fortiguard france from functionality further governmental group groups guatemala has have having help herzegovina honduras how hungary important impromptu included inform information initial instructions interests interfaces internal internet ioc italy jamaica ke3chang kingdom know known labs language latest limited links load located login logins made mali malicious malware mechanisms mexico microsoft mitigation modus montenegro name names need network never nickel nickels non north not observed obtains once ongoing open operandi operating organization organizations other out panama patching personnel peru phishing phishing/spear pleadings portugal predefined predetermined prevent protect protections provides pulse receive regular relating reported reports republic risk salvador secure security seize senders servers services sessions sharepoint shellcode should signed simple since social someone south spear specific sponsored spot state states status stolen string such suggested switzerland system systems targeted targeting targets technical templates tests then these through time tobago training trall treat trinidad trw32/backdoor trw32/nete trw32/staser types united unpached unpatched unrecognized/untrusted updated upload usage use used user username users uses using variants various varying vendor venezuela version verticals victim virginia vpn vulnerabilities vulnerable web webfiltering well what will within |
| Tags | Malware Patching Guideline |
| Stories | APT 15 APT 25 |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.