One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8480713 |
| Date de publication | 2024-04-12 06:00:03 (vue: 2024-04-12 13:07:34) |
| Titre | Arrêt de cybersécurité du mois: vaincre les attaques de création d'applications malveillantes Cybersecurity Stop of the Month: Defeating Malicious Application Creation Attacks |
| Texte | This blog post is part of a monthly series, Cybersecurity Stop of the Month, which explores the ever-evolving tactics of today\'s cybercriminals. It focuses on the critical first three steps in the attack chain in the context of email threats. The goal of this series is to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain-reconnaissance, initial compromise and persistence. So far in this series, we have examined these types of attacks: Supplier compromise EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion MFA manipulation Supply chain compromise Multilayered malicious QR code attack In this post, we examine an emerging threat-the use of malicious cloud applications created within compromised cloud tenants following account takeover. We refer to it as MACT, for short. Background Cloud account takeover (ATO) attacks are a well-known risk. Research by Proofpoint found that last year more than 96% of businesses were actively targeted by these attacks and about 60% had at least one incident. Financial damages reached an all-time high. These findings are unsettling. But there is more for businesses to worry about. Cybercriminals and state-sponsored entities are rapidly adopting advanced post-ATO techniques. And they have embraced the use of malicious and abused OAuth apps. In January 2024, Microsoft revealed that a nation-state attacker had compromised its cloud environments and stolen valuable data. This attack was attributed to TA421 (aka Midnight Blizzard and APT29), which are threat groups that have been attributed to Russia\'s Foreign Intelligence Service (SVR). Attackers exploited existing OAuth apps and created new ones within hijacked cloud tenants. After the incident, CISA issued a new advisory for businesses that rely on cloud infrastructures. Proofpoint threat researchers observed attackers pivoting to the use of OAuth apps from compromised-and often verified-cloud tenants. Threat actors take advantage of the trust that\'s associated with verified or recognized identities to spread cloud malware threats as well as establish persistent access to sensitive resources. The scenario Proofpoint monitors a malicious campaign named MACT Campaign 1445. It combines a known tactic used by cloud ATO attackers with new tactics, techniques and procedures. So far, it has affected dozens of businesses and users. In this campaign, attackers use hijacked user accounts to create malicious internal apps. In tandem, they also conduct reconnaissance, exfiltrate data and launch additional attacks. Attackers use a unique anomalous URL for the malicious OAuth apps\' reply URL-a local loopback with port 7823. This port is used for TCP traffic. It is also associated with a known Windows Remote Access Trojan (RAT). Recently, Proofpoint researchers found four accounts at a large company in the hospitality industry compromised by attackers. In a matter of days, attackers used these accounts to create four distinct malicious OAuth apps. The threat: How did the attack happen? Here is a closer look at how the attack unfolded. Initial access vectors. Attackers used a reverse proxy toolkit to target cloud user accounts. They sent individualized phishing lures to these users, which enabled them to steal their credentials as well as multifactor authentication (MFA) tokens. A shared PDF file with an embedded phishing URL that attackers used to steal users\' credentials. Unauthorized access (cloud account takeover). Once attackers had stolen users\' credentials, they established unauthorized access to the four targeted accounts. They logged in to several native Microsoft 365 sign-in apps, including “Azure Portal” and “Office Home.” Cloud malware (post-access OAuth app creat |
| Envoyé | Oui |
| Condensat | 1445 2024 365 7823 ability able about abused access account accounts accurate across act actionable actions active actively activities activity actors additional address adopting advanced advantage advisory affected after against alerts all also always analytics analytics analyze anomalous anomaly app application applications applying apps apt29 archive are assets associated ato att&ck® attack attacker attackers attacks attacks: attack attempts attributed authentication authenticator authorization authorizations authorize auto automatically background based been before behavior blizzard block blog book borne business businesses but campaign can capabilities capitalize case centric chain chance changing cisa clear closer cloud code combined combines company compelling complex comprehensive compromise compromised compromise compromise condemn conduct configured consent consider context contextual continues continuous continuously could cover create created creating creation credentials credibility credible critical crucial customer cybercriminals cybersecurity damage damages data days dedicated defeating defend defense defenses define definitive deleted delivers delivery designed detect detected detection detection: detection did discovery distinct diversion download dozens dwell dynamic easy educate effective email emails embedded embraced emerging empower enabled enhance enjoy enough enriched entities entity environment environments esignature establish established establishing events ever evidence evilproxy evolving examine examined example examples execution exercises exfiltrate exfiltration existing exploited explores extended external far fast features: file files financial find findings first flagged focuses following foothold foreign forensic fortify found four from goal good got groups guide had happen has have help helped helping here hide high highly hijacked home hospitality how human idea identification identified identities implement important incident include included including incoming indicators individualized industry infrastructures initial insight insights ins” intel intelligence intelligence internal invest investigate investigation issued its january known landscape large last laterally launch launching learn learned least lessons like like: line local logged logics login login” long look loopback lures mact mail mailbox mailboxes maintain make malicious malware manipulating manipulation manipulation matter measures mfa microsoft midnight might minimum mitigate mitre monitoring monitors month month: monthly more move multifactor multilayered named naming nation native need new next not note: notification oauth obfuscation observed offline often once one ones ongoing only oriented other outbound part party patterns payroll pdf people permissions persistence persistent phishing phishing pivoting plus port portal” post prevent prevented proactive procedure procedures processes profile proliferation promptly proofpoint protect provide proxy quickly random rapidly rat reached read real recently recognize recognized reconnaissance refer register registration regular regularly rely remains remediation remediation: reminder remote reply report reputation requests research researchers resilience resources responding response retrospective revealed reverse revoked risk robust rule rules russia scenarios scenario scopes second security security seem select selected send sensitive sent sequence series service settings several severity shared short shorten should side sign simulated socgholish spam specific sponsored spread stack standards stark state steal steps stolen stop strategies strategy streamline strengthen string supplier supply sure suspicious suspicious svr ta421 tactic tactics take takeover tandem tap target targeted tcp team teams techniques telephone tenants tenant” test than that them then these threat threat: threats three time timely times to: toad today tokens took tool toolkit tools toward tr |
| Tags | Spam Malware Tool Threat Cloud |
| Stories | APT 29 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.