One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8564340 |
| Date de publication | 2024-08-26 21:17:57 (vue: 2024-08-26 22:18:21) |
| Titre | Piège d'engagement de mi-année: comment les fausses enquêtes sont utilisées dans le phishing Mid-Year Engagement Trap: How Fake Surveys Are Used in Phishing (Recyclage) |
| Texte | ## Snapshot Researchers at Cofense recently uncovered a phishing attempt that disguised itself as a mid-year engagement survey to harvest Microsoft Office 365 credentials. ## Description The attack used a fake questionnaire, sent via email, that appeared to come from the recipient\'s HR department. The email urged recipients to verify their identity by entering their full name before proceeding to the survey. The link led to a page hosted on the form-building site Wufoo, a platform sometimes misused for phishing. After entering their details, victims were redirected to a fake Microsoft login page designed to steal their credentials. ## Microsoft Analysis Threat actors often align their phishing campaigns with seasons and events to make their attacks more convincing and relevant to potential victims. By capitalizing on the sense of urgency and familiarity associated with these times, threat actors craft emails that are more likely to evade suspicion. For instance, during tax season, [Microsoft has observed cybercriminals using tax-themed lures](https://www.microsoft.com/en-us/security/blog/2024/03/20/microsoft-threat-intelligence-unveils-targets-and-innovative-tactics-amidst-tax-season/), such as fake IRS notifications or offers for tax-related services, to trick individuals into revealing sensitive information like Social Security numbers or financial details. Similarly, during the holiday shopping season, attackers might send emails posing as popular retailers with fake order confirmations or discounts, enticing recipients to click on malicious links. For Microsoft\'s guidance on how to stay safe online during the holiday shopping season, [click here](https://www.microsoft.com/en-us/security/blog/2021/11/23/stay-safe-online-this-holiday-shopping-season-with-tips-from-microsoft/). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 21562b1004d5/analystreport 365 365/security/defender 4b5e 5155 access accessed action actors af74 after against age alert alerts align all allow amidst analysis antivirus any appeared are artifacts associated attack attacker attackers attacks attempt authority automated based before behind block breach breaches building campaigns can capitalizing changes click client cloud cofense com/blog/mid com/en com/microsoft com/threatanalytics3/9382203e come common configure confirmations content controlled convincing copyright cover craft credential credentials criterion customers cybercriminals defend defender delivered department description designed details detect detected discounts disguised distribution does during edr email emails enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engagement ensure entering enticing equivalent evade even events evolving executable fake familiarity files financial folder folders follow following form from full guidance hardening harvest has here holiday hosted how https://cofense https://learn https://security https://www identity immediate impact individuals information innovative instance intelligence investigation investigations irs itself learndoc learning led like likely link links list local login lsa lsass lures machine majority make malicious manage meet microsoft microsoft/ mid might misused mitigations mode more name network new non not notifications numbers observed ocid=magicti offers office often online order overview page part passive permission phishing platform popular posing post potential preferences premises prevalence prevent proceeding product prohibited protection protection#how protections questionnaire ransomware rapidly recently recipient recipients recommendations recommends redirected reduce reducing reduction reference#block references related relevant remediate remediation reproduction researchers reserved resolve retailers revealing rights rule rules run running safe scenes season season/ seasons security send sense sensitive sent services settings shopping significantly similarly site snapshot social sometimes stay steal stealing subsystem such surface survey surveys suspicion tactics take tamper targets tax techniques theft themed thereof these threat threats times tips tools trap trap: trick trusted turn uncovered unknown unless unveils urged urgency us/defender us/security/blog/2021/11/23/stay us/security/blog/2024/03/20/microsoft used using verify victims view=o365 volume webmail when windows without works worldwide written wufoo xdr year your |
| Tags | Ransomware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8564220 |
| Date de publication | 2024-08-26 16:51:55 (vue: 2024-08-26 17:18:27) |
| Titre | Rapport d'analyse de cas d'attaque APT utilisant la porte dérobée NOMU APT Attack Case Analysis Report Using noMu Backdoor |
| Texte | #### Géolocations ciblées - Corée ## Instantané AHNLAB Security Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs et les systèmes coréens, où un attaquant inconnu a déployé divers logiciels malveillants à distance. ## Description Le malware comprenait des coquilles inversées, des bornes de repéoles et des outils comme Asyncrat et AnyDesk pour un accès à distance.L'attaquant a également utilisé le protocole de bureau à distance (RDP) pour le contrôle d'écran et les sorties codées en coréen, ce qui suggère que les utilisateurs coréens étaient les principales cibles.Le vecteur d'infection initial reste flou, l'ASEC évalue les vulnérabilités de spearphishing et exploitées dans les serveurs Web IIS et l'échange MS peut être à blâmer. Notamment, l'attaque impliquait un mélange de logiciels malveillants auto-créés et accessibles au public, y compris FXFDOOR, précédemment lié au groupe nord-coréen Kimsuky et NOMU, une porte dérobée développée dans les suspects de Python ASEC est personnalisée.Bien que l'objectif exact reste inconnu, les preuves suggèrent que l'attaquant visait à voler des informations plutôt que de déployer des ransomwares ou des mineurs de pièces. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Enquête et correction] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) En mode automatisé complet pour permettre à Microsoft Defender le point final de prendre des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de crédits communs comme LSASS comme LSASSE SEASSS Techniques de volet LSASS comme LSASSS comme LSASSS.accéder. - [Activer] (https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-redulation-Rules-reference #block-credential-staling-from-the-windows-local-security-autehority-Subsystème) Protection LSA. - Les clients de Microsoft Defender XDR peuvent activer la [Règle de réduction de surface d'attaque] (https://learn.microsoft.com/microsoft-365/security/defender- |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed action af74 against age ahnlab aimed alert alerts all allow also analysis antivirus any anydesk apt are artifacts asec assesses asyncrat attack attacker authority automated available backdoor backdoors based behind blame block breach breaches can case center changes client cloud coin com/en com/ko/82628/ com/microsoft com/threatanalytics3/9382203e common configure content control controlled copyright cover created credential criterion custom customers cyberattack defend defender delivered deploy deployed description desktop detect detected developed distribution does edr email enable enabled encoded endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure equivalent even evidence evolving exact exchange executable exploited files folder folders follow following from full fxfdoor geolocations group hardening has https://asec https://learn https://security iis immediate impact included including infection information initial intelligence investigation investigations involved kimsuky korea korean learndoc learning like linked list local lsa lsass machine majority malicious malware manage may meet microsoft miners mitigations mix mode network new nomu non north not notably objective ocid=magicti outputs overview part passive permission post preferences premises prevalence prevent previously primary product prohibited protection protection#how protections protocol publicly python ransomware rapidly rather rdp recommendations recommends reduce reducing reduction reference#block references remains remediate remediation remote report reproduction reserved resolve reverse rights rule rules run running scenes screen security self servers settings shells significantly site snapshot spearphishing steal stealing subsystem suggesting suggests surface suspects systems take tamper targeted targeting targets techniques than theft thereof threat threats tools trusted turn unclear uncovered unknown unless us/defender used users using utilized various vector view=o365 volume vulnerabilities web webmail when where windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.