One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8544253 |
| Date de publication | 2024-07-24 23:34:10 (vue: 2024-07-25 17:18:16) |
| Titre | Onyx Sleet utilise une gamme de logiciels malveillants pour recueillir l'intelligence pour la Corée du Nord Onyx Sleet uses array of malware to gather intelligence for North Korea |
| Texte | #### Targeted Geolocations - India - Korea - United States - Southeast Asia - North America #### Targeted Industries - Information Technology - Defense Industrial Base - Government Agencies & Services ## Snapshot On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet\'s activity to assess changes following the indictment. First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet\'s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors. Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. ## Activity Overview ### Who is Onyx Sleet? Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet [exploited the TeamCity CVE-2023-42793 vulnerability](https://security.microsoft.com/intel-explorer/articles/b4f39b04) [as a part of a targeted attack](https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2023-42793/overview). Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server. Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2). Onyx Sleet is tracked by other security companies as SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2. **Affiliations with other threat actors originating from North Korea** Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed [an overlap](https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/) between Onyx Sleet and [Storm-0530](https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/). Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022. **Onyx Sleet targets** In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent att |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© **affiliations **lighthand** **onyx **smalltiger** **tigerrat** **validalpha *cmd *file *onyx *smalltiger //84 0000000z 0530 06/ 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207 101 109 134 139 13c06babdd5172a4f85823a6fc38e2ea3356a8378de33ec8f0f719d6e56d0458 147 149 150 151 155 162 175 17t00:00:00 17th 1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1 1d1a 20#6 201 2014 2019 2020 2021 2022 2023 2024 2024** 205 20: 20> 20analysis 20attack 20hole 20krcert/cc 20notice 20of 20report 20security 20strategies 20targeted 20ttps 20watering 213 2147127708 22515 23:31 248 256 27350 27350/overview 28boho 29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3 2d7cd011db47 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061 365/security/defender 3cc06871fecc2cfe327a0a33c7d9b7f1c30b46d7eb6ca86b062d05a95d4b8d81 41af 41c0 42793 42793/overview 44228 44228/overview 46604 4f7f 56/procdump 6385f6b6da4a 6624c7b8faac176d1c1cb10b03e7ee58a4853f91 67e1ad9da554 7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b 76cb5d1e6c2b6895428115705d9ac765 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf 86f1 8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f 90d 91ab 9a89 ; ` `and ` `cveid `devicelogonevents `devicenetworkevents ` `devicetvmsoftwarevulnerabilities ` `i:/01 `let `or `search `timegenerated ability ac72 access accessed accordingly across action activemq activities activity activity: actor actors add adding addition addresses administrative advantage advice aerospace affected affectedsoftware affectedsoftware ` affiliations against age agencies ahnlab aimed alert alertevidence alerts algorithms all allow alongside also america americajobmail analysis analytics analyzed andariel another antivirus antivirus any apache apart application apply arbitrary are array artifacts asec asia assess associated attack attacker attacks attributed authorities automated automatically available avoids azureedge back backdoor base based been beginning behalf behaviorentities behind between blackrat block block executable block execution block javascript both bounceme breach breaches broader built bureau businesses c++ c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1 c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c campaign campaigns can capabilities carry center certificate certificateserialnumber certificateserialnumber: certificate certutilpe chain chain* change changes chollima closely cloud code collaborated collection com com/2013/07/08/dissecting com/andariel com/azure/sentinel/sentinel com/defender com/en com/en/56405/ com/gui/file/96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3/details com/inside com/intel com/ko/65918/ com/lazarus com/microsoft com/my com/security/blog/2022/07/14/north com/technology/cybersecurity/north com/vulnerabilities/vulnerability/cve command commands commercial common commonsecuritylog companies components compromise compromised compromise compromising conduct conducted conducts confidential configure confluence connection construction contains content contents continue continuing contractors control controlled copyright cover create/delete created creating criterion currently custom customers cve cveid cveid ` cvssscore cyber cyberespionage dark darkseoul data date datetime day days december defend defender defense deliver delivered demonstrated department deploy deployed description desktop/management destinationfilename detect detected detecting detection detections/hunting detects determined develop developed development develops device devicebaselinecomplianceprofiles deviceevents devicefilecertificateinfo devicefileevents deviceid deviceimageloadevents devicename devicenetworkevents deviceprocessevents deviceregistryevents devices devicetvmsoftwarevulnerabilitieskb diagram directly directory disclosed dissecting distribution dll dll* document does doj domain domains domain dora download downloaded downloader dtrack dtra |
| Tags | Ransomware Malware Tool Vulnerability Threat Industrial Cloud Technical Commercial |
| Stories | APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.