One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8449195 |
| Date de publication | 2024-02-12 07:37:05 (vue: 2024-02-12 10:07:38) |
| Titre | Alerte communautaire: campagne malveillante en cours impactant les environnements cloud Azure Community Alert: Ongoing Malicious Campaign Impacting Azure Cloud Environments |
| Texte | Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. This post serves as a community warning regarding the attack and offers suggestions that affected organizations can implement to protect themselves from it. What are we seeing? In late November 2023, Proofpoint researchers detected a new malicious campaign, integrating credential phishing and cloud account takeover (ATO) techniques. As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL. Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally. The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, "Chief Financial Officer & Treasurer" and "President & CEO" were also among those targeted. The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions. Following the attack\'s behavioral patterns and techniques, our threat analysts identified specific indicators of compromise (IOCs) associated with this campaign. Namely, the use of a specific Linux user-agent utilized by attackers during the access phase of the attack chain: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Attackers predominantly utilize this user-agent to access the \'OfficeHome\' sign-in application along with unauthorized access to additional native Microsoft365 apps, such as: \'Office365 Shell WCSS-Client\' (indicative of browser access to Office365 applications) \'Office 365 Exchange Online\' (indicative of post-compromise mailbox abuse, data exfiltration and email threats proliferation) \'My Signins\' (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog) \'My Apps\' \'My Profile\' Post compromise risks Successful initial access often leads to a sequence of unauthorized post-compromise activities, including: MFA manipulation. Attackers register their own MFA methods to maintain persistent access. We have observed attackers choosing different authentication methods, including the registration of alternative phone numbers for authentication via SMS or phone call. However, in most MFA manipulation instances, attackers preferred to add an authenticator app with notification and code. Examples of MFA manipulation events, executed by attackers in a compromised cloud tenant. Data exfiltration. Attackers access and download sensitive files, including financial assets, internal security protocols, and user credentials. Internal and external phishing. Mailbox access is leveraged to conduct lateral movement within impacted organizations and to target specific user accounts with personalized phishing threats. Financial fraud. In an effort to perpetrate financial fraud, internal email messages are dispatched to target Human Resources and Financial departments within affected organizations. Mailbox rules. Attackers create dedicated obfuscation rules, intended to cover their tracks and erase all evidence of malicious activity from victims\' mailboxes. Examples of obfuscation mailbox rules created by attackers following successful account takeover. Operational infrastructure Our forensic analysis of the attack has surfaced several proxies, |
| Envoyé | Oui |
| Condensat | 2023 365 36 537 Applewebkit Attackers Linux Predominantly Safari X11; X66 about abuse abused access account accounts accurate acedatacenter across active activities activity actor actors adaptive add added addition additional advanced affected against agent agent aiming airtel alert: alexhost align all allows along also alternating alternative among analysis analysts any app apparent applewebkit/537 application applications approach apps are as: assets associated ato attack attackers attacks attempts attributed authentication authenticator auto azure base based bec been behavioral beyond block blog bolster both browser brute call campaign can capabilities centric ceo certain chain: challenge change chief choosing chrome/119 chrome/120 clicking client cloud code com/us/solutions/combat communication community comprehensive compromise compromised compromising com conduct consider constituting contact continues cover create created creates credential credentials currently cyber cybersecurity damages data dedicated defenders defense departments description detect detected detection different direct directors discoveries dispatched diverse dmitry documents document” dom domain domains domain download dozens drawing during dwell dynamic effort email embedded employ employing encompasses enforce environment environments erase etc evading events evidence example examples exchange executed executive executives exfiltration exposing external features fencing files finance financial fixed focus following force forensic fraud frequent frequently from functions further gecko geo geographical globally has have help hijacked holding hosting how however https://www human hundreds identified identify immediate impacted impacting impersonation implement incidents include including including: indicates indicative indicators indicator individualized individuals info information infrastructure infrastructure initial instances integrating intelligence intended internal involved iocs isp isps isp its khtml known late lateral leads levels leveraged leveraging like limited line links linux llc llc lobnya local location locations logs ltd lures mOzilla mailbox mailboxes maintain makeapp malicious malware managers manipulation manipulation; mask may measures: messages methods mfa microsoft microsoft365 minimize mitigate mol monitor monitoring month more most movement mozilla/5 mtn mtnonline namely native networks net new nigeria nigerian nikolaevich non not notable notification november numbers obfuscation observed offers office office365 officehome officer often ongoing online operational operations” organization organizational organizations origin over own parallels part password past patterns periodic perpetrate persistent personalized phase phases phase phishing phone policies positions possibility post potential potentially practical preferred president prevention previous proactively profile proliferation proofpoint protect protects protocols provide providers provides proxies proxy range recent recommendations redirect reduce regarding register registration remediation researchers resources respond response responsibilities risks robust roles rules russia russian ru sachacel safari/537 sales secure security see seeing seeking seemingly seen selection selena senior sensitive sequence serves services several shared shell should sign signins smartape sms sokolov solution solutions some source sources specific spectrum spraying stop strategy string subsequent successful such suggestions surfaced suspicious swiftly takeover tap target targeted targets team technique techniques tehniki telecom tenant themselves these those threat threats threats thwart time timely titles today tools toward tracks treasurer true turn type unauthorized upon url usage use used user users utilize utilized valuable varied variety various vectors victims visibility visit warning wcss weaponized webpage weeks what which wide win64; windows within x11; x64 x86 your attackers in mailbox “vice “view |
| Tags | Malware Tool Threat Cloud |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.