One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8483299 |
| Date de publication | 2024-04-16 06:00:54 (vue: 2024-04-16 09:07:26) |
| Titre | De l'ingénierie sociale aux abus DMARC: Ta427 \\'s Art of Information Gathering From Social Engineering to DMARC Abuse: TA427\\'s Art of Information Gathering |
| Texte | Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing. TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active. Overview Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People\'s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of Korea (ROK or South Korea) foreign policy. Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. In recent months, Proofpoint researchers have observed (Figure 1) a steady, and at times increasing, stream of this activity. While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling. It is this initial engagement, and the tactics successfully leveraged by TA427, which this blog is focused on. Figure 1. Volume of TA427 phishing campaigns observed between January 2023 and March 2024. Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea\'s strategic intelligence collection efforts on US and ROK foreign policy initiatives. Based on the targets identified and the information sought, it is believed that TA427\'s goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics (example Figure 2). TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months. They do so by constantly rotating which aliases are used to engage with the targets on similar subject matter. Figure 2. Example of TA427 campaign focused on US policy during an election year. Using timely, relevant lure content (as seen in Figure 3) customized for each victim, and often spoofing individuals in the DPRK research space with whom the victim is familiar to encourage engagement, targets are often requested to share their thoughts on these topics via email or a formal research paper or article. Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and based on Proofpoint visibility, rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection. Additionally, insight gained from the correspondence is likely used to improve targeting of the victim organization and establish rapport for later questions and engagement. Figure 3. Timeline of real-world events based on international press reporting, side-by-side with Proofpoint observed subject lures. Lure content often includes invitations to attend events about North Korean policies regarding international affairs, questions regarding topics such as how deterr |
| Envoyé | Oui |
| Condensat | 14 20/9 2023 2024 25/10 3/5 30/9 8 9 about abuse abuse: academia academic account active activity actor actors addition additionally addresses adjusting advanced affairs affiars after agent agility aliases aligned allied allowing allows also among amount analysis approach apt43 are art article asia asking atlantic attempt attend augment august authentication avoid based basic beacon beacons been began being believed benign better between blend blog body bugs build bureau but bypass campaign campaigns can cbrne center chances channel check checking checks chinese chosen clear cold collection comments comments commonly compromise computer concert conclusion conference conflict conformance considered consistently constantly contact content controlled controls conversation conversations convince convincing corporate correspondence council crafted craftily credential ctr currently customized debate december degree delivery delved democratic deployed deputy deterrence developed device dialogue dialogue did difficult directly disarmament discussant discussion display dkim dmarc dns does dollars domain domains down dprk draft dtra due during each east efforts either election email emails embassy embed emerald emergence enable enabled encourage endangered enforce engage engagement engages engaging engineering engineering ensures entities environments essay establish established establishes establishing even event events example examples exchange exchanges existence expediency expert experts extended externally fail familiar february february6 field figure figures file first fleecing fo=1;” focused following footholds foreign formal forum forum foundation four free from fulfill fundamental further gain gained gateways gathering general global goal goes government governmental group harvesting has have header heavily host how hyperlinked identified image impersonate impersonated impersonating impersonation importance improve includes including incorporated incorporating increase increasing independent indication indicator indicators indigenous individuals indo infection infinitely influence inform information infrastructure initial initiatives insight instances instead institute intelligence intended international invitation invitation: invitations invitation iocs issue its january journalism key kimsuky known korea korean korea korea later lax legitimacy legitimate legitimize level leveraged leverages leveraging like likely long losing lunch lure lures main malware mansfield many march masquerade masquerades matter maureen media meet meeting meeting members message messages methods mike millions minister modify months more most multiple negotiation network never new news next ngos nknevvs non normal north not noted november nuclear numerous object observed occur odds often one open opened opinions organization organizations org other others out outreaches over overview p=none; pacific pacific paper papers particularly peaceful peaceon peninsula people percent periods permissive persistent persona personal personalities personas personnel phishing pixels pocantico policies policy popular pose possible potential presidential press previously private profiling program project prolific proofpoint prospect protection protocol provides publication quantify: questions rapport rare rarely rather reagan real recent recipients reconnaissance reconshark record records reduction reduction referred regarding regime regularly related relevant rely reply reporting republic request requested requests requirements research researchers respective retrieve review risg rok ronald rotating rumbles same sanction sanctions savvy section security seeking seen seminar sender senders senior sent seoul series series: server services shaped share shop shows side similar since sleet slowing social society solicited some something sought south space speak specially specifically spf sponsored spoof spoofed spoofing spoofing standards standing starter starting state states steady |
| Tags | Malware Tool Threat Conference |
| Stories | APT 37 APT 43 |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.