One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8480061 |
| Date de publication | 2024-04-11 13:27:54 (vue: 2024-04-11 15:09:19) |
| Titre | Revisiter MACT: Applications malveillantes dans des locataires cloud crédibles Revisiting MACT: Malicious Applications in Credible Cloud Tenants |
| Texte | For years, the Proofpoint Cloud Research team has been particularly focused on the constantly changing landscape of cloud malware threats. While precise future predictions remain elusive, a retrospective examination of 2023 enabled us to discern significant shifts and trends in threat actors\' behaviors, thereby informing our projections for the developments expected in 2024. There is no doubt that one of the major, and most concerning, trends observed in 2023 was the increased adoption of malicious and abused OAuth applications by cybercriminals and state-sponsored actors. In January, Microsoft announced they, among other organizations, were targeted by a sophisticated nation-state attack. It seems that the significant impact of this attack, which was attributed to TA421 (AKA Midnight Blizzard and APT29), largely stemmed from the strategic exploitation of pre-existing OAuth applications, coupled with the creation of new malicious applications within compromised environments. Adding to a long list of data breaches, this incident emphasizes the inherent potential risk that users and organizations face when using inadequately protected cloud environments. Expanding on early insights shared in our 2021 blog, where we first explored the emerging phenomenon of application creation attacks and armed with extensive recent discoveries, we delve into the latest developments concerning this threat in our 2024 update. In this blog, we will: Define key fundamental terms pertinent to the realm of cloud malware and OAuth threats. Examine some of the current tactics, techniques, and procedures (TTPs) employed by threat actors as part of their account-takeover (ATO) kill chain. Provide specific IOCs related to recently detected threats and campaigns. Highlight effective strategies and solutions to help protect organizations and users against cloud malware threats. Basic terminology OAuth (Open Authorization) 2.0. OAuth is an open standard protocol that enables third-party applications to access a user\'s data without exposing credentials. It is widely used to facilitate secure authentication and authorization processes. Line-of-business (LOB) applications. LOB apps (also known as second-party apps) typically refer to applications created by a user within their cloud environment in order to support a specific purpose for the organization. Cloud malware. A term usually referring to malicious applications created, utilized and proliferated by threat actors. Malicious apps can be leveraged for various purposes, such as: mailbox access, file access, data exfiltration, internal reconnaissance, and maintaining persistent access to specific resources. MACT (Malicious Applications Created in Compromised Credible Tenants). A common technique wherein threat actors create new applications within hijacked environments, exploiting unauthorized access to compromised accounts to initiate additional attacks and establish a persistent foothold within impacted cloud tenants. Apphish. A term denoting the fusion of cloud apps-based malware with phishing tactics, mainly by utilizing OAuth 2.0 infrastructure to implement open redirection attacks. Targeted users could be taken to a designated phishing webpage upon clicking an app\'s consent link. Alternatively, redirection to a malicious webpage could follow authorizing or declining an application\'s consent request. Abused OAuth applications. Benign apps that are authorized or used by attackers, usually following a successful account takeover, to perform illegitimate activities. What we are seeing Already in 2020, we witnessed a rise in malicious OAuth applications targeting cloud users, with bad actors utilizing increasingly sophisticated methods such as application impersonation and diverse lures. In October 2022, Proofpoint researchers demonstrated how different threat actors capitalized on the global relevance of the COVID-19 pandemic to spread malware and phishing threats. Proofpoint has also seen this trend include the propagation of malicious OAuth applications seamlessly integ |
| Envoyé | Oui |
| Condensat | 08865e47 096ac744 0d592cf1 0ee8423d 11a2 11ee 1204 1204 1445 1445 14e9 184eadb2 1a1c 1e925616 2020 2021 2022 2023 2024 222ce256 24c329b1 2653 26c0 2752 2933 2a7e 2b6f1a8c 2f22a4d5 2fbe 304f5079 3053 3185 365 3b26cb89 3b96 3c5d6000 3c7bed6f 3d0b 3rd 40+ 43f2cf24 46e032e2 4a8b 4b910f87 4cc1 5+ 5645 58af928c 5b5d 5ba0 5f09265d 68dd 6bd4 7502 77a8 7823 784c6a1f 7879f119 79d9 7a5a 7b22f132 7c3c 7c56 7f8de6ea 8029cad1 83cf963a 863b 88593216 8928034b 8dc6bf96 8fde 90b43af9 90df 91fb 93f42032 950f9e4e 962ecf8d 9676 a2e8ef14 a6252307 a68cc0e6 a73b a933558c aab10050 ab91fd4f able about abuse abused access access account accounting accounts across active active activities actors adding additional additionally admin admins adopting adoption advanced affected after against aimed all allowed allows allsites all almost already also alternative alternatively although amitis among amplifying analysis analysts announced anomalous another any api api” app app; apphish apphish application applicationimpersonation applications application” approach apps apps app” apt29 arbitrary are armed around as: assets associated ato attack attacker attackers attacks attacks attributed audit authentication authorization authorized authorizing automated automatically avoid azurewebsites b0b4 b19c b3e1 ba6c467b bad baf0c4d0 based basic bd93 beb1 been began behaviors benign bf9f9cb3 blizzard blog boost both breaches business c4fa c5e1 c764 came campaign campaigns campaign can capabilities capacity capitalized casb cases catalogue categorized cff61a6f chain changing check clicking cloud codeanyapp com/steptwo common commonly comprehensive compromise compromised compromise compromising concerning condemn conjunction consent consider considered constantly constituting contact continues continuous continuously could coupled covid create created creating creation credentials credible current currently customers cybercriminals cybersecurity d185 d2cc d32b7c3a d636 d7f167e6 d852 damages data dcb3 dec7dfb2 december declining defenses define delve demonstrated denoting description designated detailed details detected detection developments different disabled disabled discern discoveries disseminated distinct distribute diverse domain doubt drove dwell e2f1f708 e61f e66a e7bf ea8ad615 early easily ee23286d effective elusive emerging emphasizes employ employed enabled enables encompassing engine environment environments environments; establish even examination examine excessive exemplary exfiltration exhibits existing expanding expected experienced exploit exploitation exploiting explored exposing exposure extensive extent external face facilitate fast fbe36179 fd997549 ffbe file files first flagging flaws focused follow following foothold form forward freely from full functionality fundamental further fusion future gain gained given global granted guidance half harnessing has have help here high highlight highlighted hijacked host how however https://sharepoint https://teste hunting hybrid identified identifying identify cloud identify post identities ids id illegitimate impact impacted impersonation implement implementation implementing importance inadequately incident incidents include includes including increase increased increasingly indications indicators indicator infecting information informed informing infrastructure inherent initiate insights instances integrated integrity intelligence interested interestingly internal internally involving iocs its january key kill known labeled landscape largely latest least legitimate leverage leveraged leverages leveraging limit limited limiting line link linked linking list lob local long loopback low low lures mact mact: mact; mail mailbox mainly maintain maintaining major majority malicious malware marked max measures mechanisms medium merely methods microsoft midnight mimic mimicking minimizing mitigating monitored more most multitenant multitenant name named names naming nation net/steptwo new nigace4800388926 non not notably now number oauth observed occur october |
| Tags | Malware Threat Prediction Cloud |
| Stories | APT 29 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.