One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8490778 |
| Date de publication | 2024-04-29 16:05:58 (vue: 2024-04-29 17:08:31) |
| Titre | Faits saillants hebdomadaires, 29 avril 2024 Weekly OSINT Highlights, 29 April 2024 |
| Texte | ## Snapshot Last week\'s OSINT reporting reveals a diverse range of cyber threats targeting organizations globally. The articles highlight various attack vectors, including phishing emails with malware payloads (SSLoad, [Cobalt Strike](https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc)), ransomware variants (KageNoHitobito, DoNex), and mobile banking malware (Brokewell) distributed through fake domain schemes and overlay attacks. Threat actors behind these campaigns range from financially motivated ransomware groups to sophisticated state-sponsored actors like Sandworm ([Seashell Blizzard](https://sip.security.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01ee3d9ee3048078288e5201bb)) and UAT4356 ([Storm-1849](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5)). Targetted organizations span Europe, Asia, and the Americas and targetted industries include critical infrastructure and IT. ## Description 1. **[Ongoing FROZEN#SHADOW Phishing Campaign](https://security.microsoft.com/intel-explorer/articles/e39d9bb3)**: The FROZEN#SHADOW campaign utilizes phishing emails to distribute SSLoad malware, alongside [Cobalt Strike](https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc) and ConnectWise ScreenConnect for extensive persistence and remote access. The victim organizations, predominantly in Europe, Asia, and the Americas, are targeted via JavaScript file downloads and MSI installers connecting to attacker-controlled domains. 2. **[Insights on KageNoHitobito and DoNex Ransomware](https://security.microsoft.com/intel-explorer/articles/ff848e92)**: KageNoHitobito and DoNex are ransomware variants with distinct encryption methods and ransom note presentations. While KageNoHitobito prompts victims to negotiate through a TOR site, DoNex terminates specific services and processes, deletes shadow copies, and may be linked to DarkRace ransomware. 3. **[Brokewell Mobile Banking Malware](https://security.microsoft.com/intel-explorer/articles/99a5deee)**: Brokewell poses a significant threat to the banking industry, utilizing overlay attacks, spyware functionalities, and remote control capabilities to steal credentials and device information. The malware\'s active development and promotion on underground channels indicate a growing interest among cybercriminals targeting different regions. 4. **[Malvertising Campaign Targeting IT Teams with MadMxShell](https://security.microsoft.com/intel-explorer/articles/ffa6ca10)**: A sophisticated threat actor distributes the MadMxShell backdoor through fake domains, using Google Ads to push them to the top of search results. MadMxShell employs complex evasion techniques, including multi-stage injection and DNS tunneling for C2 communication, indicating an interest in targeting IT professionals for unauthorized access. 5. **[ArcaneDoor Campaign by UAT4356 (Storm-1849)](https://security.microsoft.com/intel-explorer/articles/a0cf0328)**: UAT4356 (tracked by Microsoft as [Storm-1949](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5)) targets perimeter network devices like Cisco Adaptive Security Appliances (ASA) with backdoors "Line Runner" and "Line Dancer" for reconnaissance and malicious actions. The campaign showcases a state-sponsored actor\'s advanced tradecraft, with deliberate efforts to evade forensics and exploit 0-day vulnerabilities. The initial access vector used in this campaign remains unidentified, but two vulnerabilities ([CVE-2024-20353](https://security.microsoft.com/intel-explorer/cves/CVE-2024-20353/description) and[CVE-2024-20359](https://security.microsoft.com/intel-explorer/cves/CVE-2024-20359/description)) were exploited. 6. **[Kapeka Backdoor Linked to Sandworm (Seashell Blizzard)](https://security.microsoft.com/intel-explorer/articles/364efa92)**: Kapeka (tracked by Microsoft as K |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **: 1389 1389/description 1849 1949 2022 2023 2024 20353 20353/description 20359 20359/description 365 365/security/defender 365/security/defender/microsoft 365/security/office 3c/em 3cem 3elearndoc 3elearndoc#block 3elearndoc#use 3eta :** abbreviatedmktgpage about access access/concept access/overview access policies accounts achieve acquired across action actions activate activating active activities activity actor actors additional address addresses admin administrative ads advanced affecting against age agent agoent alert alerts all allow along alongside already also americas among anomalous anonymizer anti antivirus appliances applications apply april apt arcanedoor archer architectures are arsenal articles artifacts artificial asa asia assets associated attack attacker attackers attacks attempts attributed authentication automated automatic automatically automatically identify available avoid awareness ax1800 ax21 backdoor backdoors banking based baseline been before behind best blackenergy blizzard block blocks blog: botnet botnets breach breaches brings brokewell browsers build but campaign campaigns can capabilities card center centralizing certain changes channels characteristics characteristics check ciscoadaptive classes cloud cobalt com/azure/active com/deployedge/microsoft com/en com/intel com/microsoft com/security/business/siem com/windows/security/threat command commands common communication community compatibility complement complemented complex compliant compromise conditional conduct configure connecting connections connectwise contain context continuous continuously contributes control controlled cookie copies correlating course cover creations credential credentials criterion customer customers cve cyber cybercriminals dancer darkrace data date day ddos defaults defender defenders deletes deliberate delivered deploy deployment description detect detected detection determined development device devices different directory/conditional directory/fundamentals/concept discussed distinct distribute distributed distributes diverse dns doesn domain domains donex double downloads driven each eastern edge edr educating effective efforts email emails employ employees employs empower enable enable enabling encourage encryption endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/enable endpoint/prevent endpoints enforced engineering ensures entire environment environments: equivalent europe evade evaluate evaluated evaluation evasion even every evolving example executable execute exfiltration existing experience exploit exploitation exploited exploits explorer/articles/003295ff explorer/articles/244cbe20 explorer/articles/2641df15 explorer/articles/364efa92 explorer/articles/99a5deee explorer/articles/a0cf0328 explorer/articles/e39d9bb3 explorer/articles/ff848e92 explorer/articles/ffa6ca10 explorer/cves/cve extensive facing fake faster features file files financially firewall first focused following forensics found from frozen#shadow full functionalities functions fundamentals further gafgyt get globally going google governmental granular greyenergy group groups growing harden has help highlight highlights hones host hours https://aka https://learn https://security https://sip https://www huge hygiene identified identifies identify identifying identities identity immediate impact impacted implement implementing implement important improve incident incidents includecritical including incoming increase indicate indicating industrial industries industry infection information infrastructure initial injection ins insights installation installers instead intelligence interest interface interfering internet invalidate invest investigate investigated investigation investigations involved isp issues its javascript kagenohitobito kapeka kaspersky kerberos key knuckletouch last lateral latest launching learn learndoc learndoc#block learndoc#use learning least level leverage leveraged leveraging like limit limits line link linked links linux list local location machin |
| Tags | Ransomware Malware Tool Vulnerability Threat Mobile Industrial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.