One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8517380 |
| Date de publication | 2024-06-11 19:47:45 (vue: 2024-06-13 20:10:23) |
| Titre | APT Attacks Using Cloud Storage |
| Texte | ## Snapshot AhnLab Security Intelligence Center (ASEC) has identified APT attacks utilizing cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. ## Description Threat actors upload malicious scripts, RAT malware strains, and decoy documents to cloud servers to execute various malicious behaviors. The attack process involves distributing EXE and shortcut files disguised as HTML documents, which then decode and execute PowerShell commands to download decoy documents and additional files. The threat actor\'s Dropbox contains various decoy documents, and the malware downloaded from the cloud includes XenoRAT, capable of performing malicious activities and communicating with the C2 server. The threat actor appears to target specific individuals and continuously collect information to distribute tailored malware. The threat actor\'s email addresses and C2 server address were identified during the analysis, and users are advised to be cautious as the malware not only leaks information and downloads additional malware strains but also performs malicious activities such as controlling the affected system. Additionally, users are warned to verify file extensions and formats before running them, as multiple malware strains have been found to utilize shortcut files. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enable |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 2024 365 365/security/defender 365/security/office about accessed accounts acquired activities actor actors additional additionally address addresses advice: advised affected against age ahnlab all also analysis antivirus app appears apps apt are article asec attachments attack attacker attacks authentication authenticator auto based been before behaviors block blocks browser browsers bullet but can capable cautious center check classes click clicking cloud code collect com/azure/active com/deployedge/microsoft com/en/66429/ com/microsoft commands common communicating configure contains continuously controlling cover coverage credential credentials criterion customers decode decoy defender defendernder delete delivered description devices different directory/authentication/concept directory/authentication/how directory/identity disguised distribute distributing documents download downloaded downloads drive dropbox due during edge email emails employees enable enabled encourage endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent even evolving example excluded exe executable execute execution extensions features fido file files filtering first following formats found from google group guidance has have hello host hour html https://asec https://learn identified identifies identity impact inbound includes including individuals infections information infostealer infostealers intelligence intrusions involves keys leaks learndoc learndoc#block learning like links list locations machine mail majority malicious malware managed many match meet methods mfa microsoft microsoftdefender mitigation mitigations mode more multiple new newly not number obfuscated ocid=magicti off offer office onedrive only organizations other overview password passwordless passwords performing performs personal phishing phones points policies policy polymorphic possible potentially powershell prevalence prevent process product prompt protection protection/howto protections pua purge ransomware rapidly rat recheck recommendations recommends reduce reduction refer reference references remind remove require requires response rules running safe scam scripts secured security security/defender security/safe security/zero sent server servers services settings shortcut should sight sites smartscreen snapshot spam specific spoofed stealer stop storage stored strains strictly succeeded such support surface sweeping sync#sync syncing system tailored target techniques theft them then threat threats times tools trusted turn typed unknown unless unwanted upload use used user users uses using utilize utilizing variants various vaults verify warned web websites when where which windows workplace xenorat your “yes” |
| Tags | Ransomware Spam Malware Tool Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.