One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8565496 |
| Date de publication | 2024-08-28 15:13:46 (vue: 2024-08-28 15:18:25) |
| Titre | Stealthy \'sedexp\' Linux malware evaded detection for two years |
| Texte | ## Snapshot Researchers at Stroz Friedberg have identified a Linux malware called \'sedexp\' that\'s been evading detection since 2022. The malware uses udev rules to maintain persistence and evade detection. ## Description Udev is a device management system for the Linux kernel that dynamically creates or removes device node files, handles hotplug events to configure new devices, and loads drivers as necessary. By adding a udev rule that triggers when a new device is added to the system, the sedexp malware ensures frequent execution by exploiting the essential system component /dev/random, which is not monitored by security solutions. The malware also disguises itself as a legitimate system process named \'kdevtmpfs\' to blend in with normal activities and sets up a reverse shell for remote access. Additionally, it employs memory manipulation techniques to hide its presence and has been used in hiding credit card scraping code on compromised web servers. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft Defender XDR customers can turn on the following [attack surface reduction rule](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) to prevent common attack techniques used for ransomware. - - [Block](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail) executable content from email client and webmail - [Block](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) executable files from running unless they meet a prevalence, age, or trusted list criterion - [Use]( |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© /dev/random 2022 2024 2024** 21562b1004d5/analystreport 365/security/defender 496d 4b5e 5155 accept access accessed action activities ad3c added adding additionally advanced adverse af74 against age alert alerts all allow also antivirus any aon are artifacts assess attack attacker authority automated based been behind bleeping bleepingcomputer blend block blocking breach breaches c6a795a33c27/analystreport called can card changes check client cloud code com/en com/en/insights/cyber com/microsoft com/news/security/stealthy com/security com/threatanalytics3/05658b6c com/threatanalytics3/9382203e common component compromised computer configure content controlled copyright cover creates credential credit criterion customers dc62 defend defender delivered deployment description details detect detected detection determine device devices disguises distribution does drivers dynamically edr email employs enable enabled enabling endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure ensures equivalent essential evade evaded evading even events evolving executable execution exploiting files folder folders follow following frequent friedberg from full handles hardening has have hide hiding hotplug how https://learn https://security https://www human identified immediate impact investigation investigations its itself kdevtmpfs kernel labs/unveiling learndoc learning legitimate like linux list loads local lsa lsass machine maintain majority malicious malware manage management manipulation meet memory microsoft might mitigations mode monitored monitoring named necessary network new node non normal not ocid=magicti opening operated overview pane part passive percentage permission persistence policy post preferences premises presence prevalence prevent process product productivity prohibited protection protection#how protections ransomware rapidly recommendation recommendations recommends reduce reducing reduction refer reference#block reference#use references remediate remediation remote removes reproduction researchers reserved resolve reverse rights rule rules run running scenes scraping security sedexp servers sets settings shell significantly since site snapshot solutions status stealing stealthy stroz subsystem surface system ta2 take tamper techniques that theft thereof threat threats tools triggers trusted turn tvmsecreco two udev unknown unless unveiling us/defender use used user uses view=o365 volume vulnerability web webmail what when which windows without works worldwide written xdr years years/ your |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-08-28 21:35:25 | (Déjà vu) AUTOIT BOT cible d'abord les comptes Gmail AutoIT Bot Targets Gmail Accounts First (lien direct) |
## Instantané Des chercheurs de Sonicwall Capture Labs ont identifié un exécutable compilé auto-compilé qui cible les comptes Gmail en tentant d'ouvrir des pages de connexion dans MS Edge, Google Chrome et Mozilla Firefox. ## Description Le logiciel malveillant a la capacité de lire les données du presse-papiers, de capturer des touches, d'exécuter en tant que différents utilisateurs et de redémarrer ou d'arrêter le système.Il peut également détecter les débogueurs, bloquer la saisie des utilisateurs et contrôler les événements du clavier et de la souris.Le malware utilise des bibliothèques obscurcies et dispose de commandes ClearText pour trouver et lancer chaque navigateur sur une page de connexion Google.Bien que les logiciels malveillants tentent d'accéder aux comptes Google, il contient également des liens de connexion génériques pour d'autres sites de médias sociaux majeurs.De plus, le malware met en place une prise d'écoute et crée plusieurs processus lorsque les navigateurs sont exécutés.Cependant, aucune connexion n'a été établie par un serveur C2 lors des tests. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécutez [EDR en mode bloc] (https: // apprendre.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) de sorte que Microsoft Defender pour le point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de crédits communs comme LSASS comme LSASSE SEASSS Techniques de volet LSASS comme LSASSS comme LSASSS.accéder. - [Activer] (https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-redulation-Rules-reference #block-credential-staling-from-the-windows-local-security-autehority-Subsystème) Protection LSA. - Les clients de Microsoft Defender XDR peuvent activer la [Règle de réduction de surface d'attaque] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) pour empêcher les techniques d'attaque courantes utilisées pourransomware. - - [ | Ransomware Malware Tool Threat | ★★★ |