One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8459757 |
| Date de publication | 2024-03-06 13:55:16 (vue: 2024-03-06 10:11:36) |
| Titre | TA4903: acteur usurpation du gouvernement américain, petites entreprises en phishing, BEC BIDS TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids |
| Texte | Key takeaways TA4903 is a unique threat actor that demonstrates at least two distinct objectives: (1) credential phishing and (2) business email compromise (BEC). TA4903 routinely conducts campaigns spoofing various U.S. government entities to steal corporate credentials. The actor also spoofs organizations in various sectors including construction, finance, healthcare, food and beverage, and others. The campaign volumes range from hundreds of messages to tens of thousands of messages per campaign. The messages typically target entities in the U.S., although additional global targeting has been observed. TA4903 has been observed using the EvilProxy MFA bypass tool. In late 2023, TA4903 began adopting QR codes in credential phishing campaigns. Overview TA4903 is a financially motivated cybercriminal threat actor that spoofs both U.S. government entities and private businesses across many industries. The actor mostly targets organizations located in the United States, but occasionally those located globally, with high-volume email campaigns. Proofpoint assesses with high confidence the objectives of the campaigns are to steal corporate credentials, infiltrate mailboxes, and conduct follow-on business email compromise (BEC) activity. Proofpoint began observing a series of campaigns spoofing federal U.S. government entities in December 2021. The campaigns, which were subsequently attributed to TA4903, first masqueraded as the U.S. Department of Labor. In 2022 campaigns, the threat actors purported to be the U.S. Departments of Housing and Urban Development, Transportation, and Commerce. During 2023, the actor began to spoof the U.S. Department of Agriculture. In mid-2023 through 2024, Proofpoint observed an increase in credential phishing and fraud campaigns using different themes from TA4903. The actor began spoofing various small and medium-sized businesses (SMBs) across various industries including construction, manufacturing, energy, finance, food and beverage, and others. Proofpoint observed an increase in the tempo of BEC themes as well, including using themes such as “cyberattacks” to prompt victims to provide payment and banking details. Most credential phishing messages associated with this actor contain URLs or attachments leading to credential phishing websites. In some cases, including the government-themed campaigns, messages contain PDF attachments that contain embedded links or QR codes leading to websites that appear to be direct clones of the spoofed government agency. Based on Proofpoint\'s research and tactics, techniques, and procedures (TTPs) observed in open-source intelligence, activity related to TA4903\'s impersonation of U.S. government entities goes back to at least mid-2021. TTPs associated with the actor\'s broader credential phishing and BEC activities are observable as long ago as 2019. Campaign details Government bid spoofing Historically, Proofpoint mostly observed TA4903 conducting credential theft campaigns using PDF attachments leading to portals spoofing U.S. government entities, typically using bid proposal lures. In late 2023, TA4903 began spoofing the USDA and began incorporating QR codes into their PDFs, a technique previously unobserved by this actor. Messages may purport to be, for example: From: U.S. Department of Agriculture Subject: Invitation To Bid Attachment: usda2784748973bid.pdf Example of one page of a multi-page PDF spoofing the USDA. The “Bid Now” button is hyperlinked to the same URL as the QR code. In these campaigns, the PDF attachments are typically multiple pages long and have both embedded URLs and QR codes that lead to government-branded phishing websites. Example credential phishing website operated by TA4903, designed to capture O365 and other email account credentials. In 2023, Proofpoint observed TA4903 spoof the U.S. Department of Transportation, the U.S. Small Business Administration (SBA), and the USDA us |
| Envoyé | Oui |
| Condensat | 15b9ae1ab5763985af2e6fe0b22526d045666609ad31829b8926466599eeb284 2019 2021 2022 2023 2023 2024 30receipt access account accounts ach achieved acronyms across activities activity activity actor actors added additional addresses administration adopting agency ago agriculture alert aligned also although ambakederemo american ams appear are assesses associated attachment: attachments attack attempt attempting attributed attribution authentication author away back banking based bec because become been before began beginning behavior being believe benign between beverage bid bids bid body both branded broader broadly business businesses but button bypass campaign campaigns capture cases change changes characteristics: clones clustered code codes commerce companies compromise compromised compromise com conclusion conduct conducting conducts confidence confidential consistent construction contain contained content copy corporate craft create created credential credentials cyberattack cybercriminal d398eef8cf3a69553985c4fd592a4500b791392cf86d7593dbdbd46f8842a18d days deceive december deliver demonstrated demonstrates departing department departments department dept description design designed details details development did differed different direct directly distinct distributed dns documents domain domains domain dropped during ed4134de34fbc67c6a14c4a4d521e69b3cd2cb5e657b885bd2e8be0e45ad2bda edward efficacy either email emails embedded emerging energy entities entity errors etc etpro evilproxy example example: existing expansion extraneous far feature federal finance financial financially first follow following food fraud freemail frequent frequently from from: gathered generally global globally goes government had harvesting has have healthcare high higher hijacking historically history honeypot hosting housing however html hundreds hxxp://tracking hxxps://auth01 hyperlinked identifiable identify impersonation imposter inbox include including incorporating increase indicators indicator industries infiltrate information infrastructure initial instances instead institutions intelligence internal invitation invoice invoices invoicing its just key keywords kit known labor landing late later lead leading leads least legitimate letter letters like likely linked links located login long look lookalike lookup lure lures mailbox mailboxes malicious manipulation manufacturing many masqueraded may medium message messages messages: metadata mfa microsoft mid minimal modifications more most mostly motivated move multi multifactor multiple name name: names net new north not november now” o365 objective objectives objectives: observable observe observed observing obtained occasionally occurring off often once one open operated operational orga organization organizations original other others otherwise outside overall overview owned page pages page partners password payment payments payroll pdf pdfs pdf per perform persistent personas phishing portal portals possible precursors previously prior private pro procedures produce prompt proofpoint proposal provide providers proxy purport purported range receipt recent recipient recipients redirect redirected referencing registers registration regularity related relating relevant remittance reply requested research researcher researchers result reverse routinely rule ruleset same sba search searched sectors secure seeded seen send sender sending sent series several sha256 sha256 shifted shortsync signatures significant similar since site six sized small smbs some source specific spelling spoof spoofed spoofing spoofing spoofs states steal stealing stolen subject: subsequently such suffered supplier suppliers ta4903 ta4903: tactics takeaways target targeted targeting targets technique techniques tempo temporary tender tens than theft theft theme themed themes theme then these those thousands thread threads threat threats through throughout time times tool toolkit traits transportation ttps two typical typically unique united unobserved u |
| Tags | Threat Tool Medical |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.