One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8585015 |
| Date de publication | 2024-09-25 18:33:07 (vue: 2024-09-25 19:18:22) |
| Titre | Déstaurer les opérations de Salsemming \\ à travers l'Asie du Sud Unraveling SloppyLemming\\'s Operations Across South Asia |
| Texte | #### Targeted Geolocations - Pakistan - Sri Lanka - China - Bangladesh #### Targeted Industries - Government Agencies & Services - Law Enforcement - Defense - Information Technology - IT Products & Services - Energy - Transportation Systems - Education - Higher Education ## Snapshot Cloudforce One has released a report detailing the activities of SloppyLemming, an advanced threat actor that has been observed impacting organizations in South and East Asian countries as part of an extensive espionage campaign. ## Description SloppyLemming, also tracked as OUTRIDER TIGER by [CrowdStrike](https://www.crowdstrike.com/adversaries/outrider-tiger/), is known for leveraging cloud service providers for credential harvesting, malware delivery, and command-and-control (C2) activities. The group often employs open-source adversary emulation frameworks like [Cobalt Strike](https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc) and Havoc. Cloudforce One notes the group\'s operations display poor operational security, allowing Cloudforce One to gain insights into their tools and tactics. A key focus of their operations is credential harvesting, often achieved through phishing emails that lead victims to fake login pages hosted on malicious Cloudflare Workers. The group uses a tool called CloudPhish to scrape login HTML content and log stolen credentials via Discord. In addition to phishing, SloppyLemming has been observed collecting Google OAuth tokens and engaging in malware operations. For instance, they have used Dropbox to host malicious RAR files that exploit WinRAR vulnerabilities, specifically [CVE-2023-38831](https://security.microsoft.com/intel-explorer/cves/CVE-2023-38831/). These files contain executables that deploy Remote Access Tools (RATs), enabling the group to maintain long-term access to compromised systems. SloppyLemming\'s credential harvesting operations primarily target organizations in Pakistan, focusing on sectors such as government, transportation, education, technology, and energy. Notably, the group has shown a particular interest in targeting Pakistani law enforcement agencies and entities involved with the country\'s nuclear power facility. Beyond Pakistan, SloppyLemming\'s efforts have extended to government and military organizations in Sri Lanka and Bangladesh, as well as Chinese energy and academic sectors. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protect |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2023 2024 2024** 21562b1004d5/analystreport 365/security/defender 38831 38831/ 4b5e 5155 academic access accessed achieved across action activities actor addition advanced adversary af74 against age agencies alert alerts all allow allowing also andhavoc antivirus any are artifacts asia asia/ asian attack attacker authority automated bangladesh based been behind beyond block breach breaches called campaign can changes china chinese client cloud cloudflare cloudforce cloudphish cobalt collecting com/adversaries/outrider com/en com/intel com/microsoft com/threatanalytics3/9382203e command common components compromised configure contain content control controlled copyright countries country cover credential credentials criterion crowdstrike customers cve defend defender defense delivered delivery deploy description detailing detect detected detects discord display distribution does dropbox east edr education efforts email emails employs emulation enable enabled enabling encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy enforcement engaging ensure entities equivalent espionage even evolving executable executables exploit explorer/cves/cve extended extensive facility fake files focus focusing folder folders follow following frameworks from full gain gb/threat geolocations google government group hardening harvesting has have higher host hosted html https://learn https://security https://www immediate impact impacting industries information insights instance intelligence/research/report/unraveling interest investigation investigations involved key known lanka law lead learndoc learning leveraging like list local log login long lsa lsass machine maintain majority malicious malware malware: manage meet microsoft military mitigations mode name=trojan:win32/bitrep network new non not notably notes nuclear oauth observed ocid=magicti often one open operational operations organizations outrider overview pages pakistan pakistani part particular passive permission phishing poor post power preferences premises prevalence prevent primarily product products profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc prohibited protection protection#how protections providers ransomware rapidly rar rats recommendations recommends reduce reducing reduction reference#block references released remediate remediation remote report reproduction reserved resolve rights rule rules run running scenes scrape sectors security service services settings shown significantly site sloppylemming sloppylemmings snapshot source south specifically sri stealing stolen strike subsystem such surface systems tactics take tamper target targeted targeting techniques technology term theft thereof these threat threats through tiger tiger/ tokens tool tools tracked transportation trojan:win32/bitrep trusted turn unknown unless unraveling us/defender us/wdsi/threats/malware used uses victims view=o365 volume vulnerabilities webmail well when windows winrar without workers works worldwide written xdr your |
| Tags | Ransomware Malware Tool Vulnerability Threat Legislation Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-09-25 19:49:34 | (Déjà vu) SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites (lien direct) | ## Instantané L'équipe de détection et de recherche sur les menaces de Sekoia (TDR) a publié un rapport détaillant une série de cyberattaques ciblant les sites Web kurdes. ## Description Ils ont découvert 25 sites Web kurdes compromis par quatre variantes différentes d'un script malveillant.Les sites compromis incluent ceux liés à la presse kurde et aux médias, à l'administration du Rojava et aux forces armées, ainsi que des partis politiques et des organisations révolutionnaires de la Turquie et des régions kurdes. Les scripts variaient en complexité, des versions de base qui ont collecté des emplacements actuels des utilisateurs à des emplacements plus avancés qui ont suivi des emplacements pendant 400 jours, accédé aux caméras selfie et poussé une application Android malveillante.Conçus pour recueillir des renseignements auprès des visiteurs, les scripts ont collecté des données comme l'emplacement, les images et les informations sur l'appareil, certains employés par l'obscurcissement pour échapper à la détection.Ces scripts ont été trouvés sur plusieurs sites, notamment des médias et des plateformes politiques liées à la communauté kurde.Les utilisateurs dirigés les plus sophistiqués pour installer un APK malveillant qui a récolté les contacts, l'emplacement et les détails du réseau. La campagne est remarquable pour sa durée et sa échelle, à partir de la fin de 2022..Bien que l'attribution reste incertaine, le TDR de Sekoia \\ évalue que les acteurs potentiels incluent les services de renseignement turcs, les services de renseignement syriens, le gouvernement régional kurde et l'Iran, chacun avec des motifs de plausibilité variable compte tenu des tensions géopolitiques impliquant des forces kurdes au Moyen-Orient. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) | Ransomware Tool Threat Mobile | ★★ |