One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8593838 |
| Date de publication | 2024-10-07 19:22:45 (vue: 2024-10-07 20:18:11) |
| Titre | CUCKOO SPEAR PARTIE 2: acteur de menace Arsenal CUCKOO SPEAR Part 2: Threat Actor Arsenal |
| Texte | ## Snapshot Cybereason Security Services Team uncovered sophisticated capabilities of the Cuckoo Spear tools, NOOPLDR and NOOPDOOR. ## Description NOOPLDR variants, including NOOPLDR-DLL and NOOPLDR-C#, establish persistence by registering as services and injecting shellcode into system processes. NOOPLDR-DLL uses code obfuscation, dynamic custom syscalls, and modified legitimate DLLs to evade detection, while NOOPLDR-C# employs heavy obfuscation, time stomping, and executes C# code from XML files using msbuild.exe. Both loaders retrieve and decrypt shellcode from the registry or a .dat file, using AES encryption with keys derived from the machine\'s unique identifiers. NOOPDOOR malware, associated with NOOPLDR, has client and server components designed for stealth and persistence. The client-side features API hashing, anti-debugging, a domain generation algorithm (DGA), and a custom TCP protocol for data exfiltration. The server-side is capable of modifying firewall rules and executing commands for network pivoting. The campaign has ties to the well-known APT10 group, showing clear links between multiple incidents while revealing new tools and strategies employed by the attackers. Cuckoo Spear mainly targeted Japanese companies in the manufacturing, political, and industrial sectors, with cyber espionage as its primary goal. ## Microsoft Analysis Researchers at Cybereason assess the threat actor to be APT10. Microsoft tracks APT10 as [Purple Typhoon](https://security.microsoft.com/intel-profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745) Purple Typhoon (POTASSIUM), the activity group also known as APT 10, Stone Panda, Cloud Hopper, Red Apollo, or menuPass, has been reported to be responsible for global intrusion campaigns from 2006. These campaigns aimed to steal intellectual property and confidential business information from defense contractors and government agencies in the United States. The group was also observed launching attacks against a diverse set of other verticals, including communications, energy, space aviation. Notably, the group targeted managed service providers (MSPs) with presence in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, United Arab Emirates, and the United Kingdom. Compromising MSPs provided Purple Typhoon a launchpad for infiltrating organizations whose IT infrastructures and/or end-user systems are managed by these MSPs. Known to initially compromise targets via spear-phishing emails that deliver malicious payloads in the form of remote access trojans (RATs), the group steals administrator credentials to move laterally across target systems, maintain persistence, and exfiltrate high-value information. The malicious payloads typically utilized by Purple Typhoon include three main RATs called REDLEAVES, UPPERCUT and CHCHES. On December 17, 2018, the US government indicted two members of Purple Typhoon. On January 2, 2019, the Federal Bureau of Investigation shared indicators of compromise (IOCs) to aid in customer protection. Using these IOCs, which the security community further corroborated, along with Microsoft\'s own IOCs and telemetry, we have put in place enhanced detection mechanisms that can help guard against possible attacks coming from this group. ## Recommendations Apply these mitigations to reduce the impact of this threat. - Apply security updates to vulnerable VPN solutions. - Require multi-factor authentication (MFA) for local device access, RDP access, and remote connections through VPN. Use password-less solutions like [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator/). For further guidance, read about: - [Set up multi-factor authentication for Office 365](https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) - [Use two-step verification with consumer accounts](https://support.microsoft.com/en-us/help/ |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© *start 2006 2018 2019 2024 2024** 365 about about: abuse access accessed account accounts across action activities activity actor address admin administrative administrator aes against agencies aid aimed algorithm all alltenantrulesandforms along also among analysis analyze analyzing and/or anti antivirus any api apollo application* apply applying apt apt10 arab are arsenal aspx assess associated attack attackers attacks authentication authenticator automatic aviation avoid based basic been between block both brazil bureau business called calls campaign campaigns can canada capabilities capable chches clear client clients cloud code collect com/blog/cuckoo com/en com/intel com/office365security/defending com/officedev/o365 coming commands communication communications community companies compliance/set components compromise compromising conditional conditions confidential connections consumer content contractors copyright corroborated credential credentials cuckoo custom customer cyber cybereason dat data debugging december decrypt defender defending defense deliver delivered derived description designed detection device dga disallowing distribution diverse dll dlls domain dynamic emails emirates employed employs encryption end endpoints energy enhanced espionage establish evade ews exchange exe executes executing exfiltrate exfiltration existing explorer/articles/byexternalid/8ee71a0412487fa7ae75817519de30f014afe778c64bb4c3cd1b4bd730ef8465 factor features federal file files finland firewall force form forms forwarding france from further generation germany global goal government group guard guidance has hashing have heavy help high hopper how https://blogs https://docs https://github https://security https://support https://technet https://www hygiene identifiers identify impact incidents include including india indicators indicted industrial infiltrating information infrastructures initially injecting injection injection/ inspect intellectual intrusion investigation investigationtooling/blob/master/get iocs its january japan japanese keys kingdom known laps lateral laterally launching launchpad learning least legitimate less level like like limits links loaders local logons logs machine mail main mainly maintain malicious malware managed manufacturing mechanisms members menupass message mfa microsoft mitigations mobile modified modifying monitor more move movement msbuild msps multi multiple network new noopdoor noopldr normally not notably obfuscation observed off office online online/client online/disable organizations other outlook outside own panda part password passwords payloads permission persistence perspective phishing pivoting place political possible potassium powershell practice presence prevent primary principle privilege privileges procedure processes profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745 prohibited property protection protocol provided providers ps1 pt2 purple put quickly randomized rats rdp read recommendations red redleaves reduce references registering registry regulate related remote reported reproduction researchers reserved responsible restrict retrieve revealing rights rpc rule rules rules/client sample sectors security server service services set shared shellcode showing side site smb snapshot solutions sophisticated source space spear states steal steals stealth step stomping stone stop strategies strong submission suspicious sweden switzerland syscalls system systems target targeted targets tcp team technet telemetry templates thereof these threat threats three through ties time tools tracks traffic trojans turn turning two type typhoon typically uncovered unique united unknown updates uppercut us/account/authenticator/ us/exchange/clients us/help/12408/microsoft us/mt227395 us/office365/admin/security use user users uses using utilize utilized value variants verification verticals view=o365 vpn vulnerable well whenever which whose wide without worldwide would written xml your apply require |
| Tags | Malware Tool Threat Industrial Cloud |
| Stories | APT 10 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.